Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 486696 (CVE-2013-5572) - <net-analyzer/zabbix-2.0.9_rc1-r2: password leakage (CVE-2013-{5572,5743})
Summary: <net-analyzer/zabbix-2.0.9_rc1-r2: password leakage (CVE-2013-{5572,5743})
Status: RESOLVED FIXED
Alias: CVE-2013-5572
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [glsa]
Keywords:
: 488288 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-10-01 19:03 UTC by Agostino Sarubbo
Modified: 2013-11-25 17:53 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-10-01 19:03:19 UTC
From ${URL} :

Zabbix, a network management system application designed to monitor and track the status of various 
network services, is found to have a vulnerability that could lead to password leakage.

Once the user is able to open a console session in zabbix, he can access the tab where various 
users of the system are displayed. An impersonated user can view the application source code, and 
could find the password that interacts zabbix, for eg, with a domain controller.

The field that should be looked for in the source code of the website is:
   type = "password" id = "ldap_bind_password" name = "ldap_bind_password" value = <password>.

And also if the user requests to refresh the web page, the browser asks the user to store or cache 
the password, which could also lead to password leakage.


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Matthew Marlowe gentoo-dev 2013-10-02 00:15:06 UTC
Not sure how big of an issue this vulnerability is.....I think upstream has been working on a security issue and this may be related...we'll see if they release a patch or bump for it.

Upstream info that I see:

This security problem is actual only for zabbix-super-administrator user accounts.

When this is considered as a problem:
for example I have several zabbix-super-admins but they should not know the LDAP bind pass.

Goal:
any zabbix-super-admins which doesn't own the password - should not be able to know it (we suppose that they don't have direct shell access to Apache/DB server)

Possible solution:
For example you typed new "bind password" and pressed the Save button. The new password will be send to Apache and if it's correct it will be stored in the database (as it is currently).
Reloaded page will not contain any value in the "bind password" box and source HTML code.

I'm not sure, but maybe it would worth to show some grayed default text in the box, like "Password stored into DB, type new password if required." if the password is not empty in the DB.
This default text will help a bit after a user has enabled the LDAP auth.
If locate a mouse cursor into the box then the default text will disappear (we have already such approach in some places in zabbix frontend).
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-10-02 03:40:46 UTC
CVE-2013-5572 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5572):
  Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bind
  password by leveraging management-console access and reading the
  ldap_bind_password value in the HTML source code.
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-02 03:42:11 UTC
NVD says this only affects 2.0.5, not in tree. @maintainers: think we're okay to close?
Comment 4 Agostino Sarubbo gentoo-dev 2013-10-02 06:30:04 UTC
(In reply to Chris Reffett from comment #3)
> NVD says this only affects 2.0.5, not in tree. @maintainers: think we're
> okay to close?

No. https://support.zabbix.com/browse/ZBX-6721
Comment 5 Matthew Marlowe gentoo-dev 2013-10-02 19:50:34 UTC
Spoke with upstream...confirmed this is a legitimate issue, upstream has just released 2.0.9rc1 with fix.

Details:  https://support.zabbix.com/browse/ZBX-7091

Also: http://www.zabbix.com/rn2.0.9rc1.php
Comment 6 Matthew Marlowe gentoo-dev 2013-10-02 20:15:01 UTC
2.0.9rc1 in cvs, no keywords temporarily while I test.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2013-10-02 21:34:20 UTC
Matthew, once you are done testing and ready for stabilization please CC arches and ask for stabilization.

Whiteboard move to <stable?>
Comment 8 Matthew Marlowe gentoo-dev 2013-10-03 08:19:59 UTC
Maintainer testing successful for 2.09rc1_r2 bump which is in CVS now with ~amd64 and ~x86 keywords.

Suggest 24hr wait to see if there are user reported issues before marking stablereq for x86/amd64 arches.
Comment 9 Matthew Marlowe gentoo-dev 2013-10-03 22:13:27 UTC
stablereq time...there are minimal differences between old stable and new, no bugs since committing bump(~1 day), tested fine on my system, and bump is supposed to fix security issues.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2013-10-04 03:25:19 UTC
Arches, please test and mark stable: 

=net-analyzer/zabbix-2.0.9_rc1-r2

Target keywords : "amd64 x86"
Comment 11 Agostino Sarubbo gentoo-dev 2013-10-05 10:37:01 UTC
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-10-13 10:32:06 UTC
x86 stable
Comment 13 Matthew Marlowe gentoo-dev 2013-10-14 15:54:25 UTC
Looks like all arches have stabilized.
Removed older stable ebuild impacted by CVE.
Security team - up to you to decide on GLSA.  Please clean up old lingering security bugs for Zabbix when doing so - about 4+ older bugs.
Comment 14 Sean Amoss (RETIRED) gentoo-dev Security 2013-10-14 23:12:31 UTC
(In reply to Matthew Marlowe from comment #13)
> Looks like all arches have stabilized.
> Removed older stable ebuild impacted by CVE.
> Security team - up to you to decide on GLSA.  Please clean up old lingering
> security bugs for Zabbix when doing so - about 4+ older bugs.

Thanks for the cleaning up the old vulnerable versions. GLSA has already been created and is ready for review. The old security bugs will be closed when the GLSA is sent.
Comment 15 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2013-10-17 13:37:23 UTC
*** Bug 488288 has been marked as a duplicate of this bug. ***
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-11-25 17:53:55 UTC
This issue was resolved and addressed in
 GLSA 201311-15 at http://security.gentoo.org/glsa/glsa-201311-15.xml
by GLSA coordinator Sergey Popov (pinkbyte).