Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0008 Multiple vulnerabilities have been fixed in Nagios Core 17 January 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Nagios Core Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2012-6096 Member content until: Saturday, February 16 2013 OVERVIEW An update has been released to fix a vulnerability in the Nagios Core network monitoring package, prior to version 3.4.4 [1] IMPACT The following details have been provided by Neohapsis regarding the vulnerability: "history.cgi is vulnerable to a buffer overflow due to the use of sprintf with user supplied data that has not been restricted in size. This vulnerability does not appear to be exploitable on the majority of systems (due to stack cookies, the NX bit, etc)." [2] This vulnerability has been assigned CVE-2012-6096. Under certain circumstances it may lead to remote command execution. [3] A segmentation fault on Solaris and other bugs have been fixed in Nagios Core 3.4.4 [4] MITIGATION The vendor recommends updating Nagios to the latest version to correct the issue. [1] REFERENCES [1] Nagios Core 3.4.4 Released http://www.nagios.org/news/77-news-announcements/346-nagios-core-344-released [2] Nagios Core 3.4.3: Stack based buffer overflow in web interface http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html [3] CVE - CVE-2012-6096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6096 [4] Nagios Core 3.x Version History http://www.nagios.org/projects/nagioscore/history/core-3x AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUPd5VO4yVqjM2NGpAQJ9Rw//djDgg91QQDhdON7ZL1vSUgneHT6CHlR3 f4/dANssiVoRlsfgGuTiXuQrCTUCeBWKyNJDa+TuWkNTl4IbUT/5k4c8OvbOoG1B tFYXQxr5xQ7oq4s+Nhb6yvJZBstMf3gs2FBM9XvtM3MjVbB/VWGlzNVuBJ0mOsJP 5HQh0Q/XIFNwKY5Nl/M5ZdCUFgSAXUbwk6iG0QGbAZuOXce3u4US+3mUdIvdb8LH THcSj5OuAxwrtRU+VtOQgAlHlxen2XMVjzYLeZ1oJK1oblpH9UvkfXA9IQT+5Mu/ wsstEMYPMgdwLehTKmXLHIsNpFnIOqa0PU9egukDqzdnH8aWt4QFB4Hi0jd8J+db IRwgsNIQFcQt3XeZw1aGNCAcmCkYG6RV7/rDdxAR1j66mB8BoDflY7ApU4dgkbS0 p+kmXRm0qWPZFzWeUNGdhx2ldmfQnsHaaoGDd9GK3iE3pOghzs/KMr34zixTso4b ogCJdUtHXW3nTOqQ6pVt6xSk7VfMCThzANCF6oPf0sjiG+p0D8Nk3sgwtwboLTUY INP6RJpbmt4qEMgOTlqP1y4bRtiXLEAvHBXBL/LSqXD4eJkN9Kc7qqAhkigZuFfx q+cNuc9MUA+Uv1bojD0Wm6AWfSoAIkejVaWUf2sghyCjba6hlCpsJ2J7YE26mJcj tiSEoOMGTZ0= =fmom -----END PGP SIGNATURE-----