Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2016.0011
A number of vulnerabilities have been identified in Xymon
12 February 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Xymon
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-2058 CVE-2016-2057 CVE-2016-2056
CVE-2016-2055 CVE-2016-2054
Member content until: Sunday, March 13 2016
OVERVIEW
A number of vulnerabilities have been identified in all versions of
Xymon 4.3.x prior to 4.3.25, as well as the obsolete 4.1.x and 4.2.x
versions. [1]
IMPACT
The vendor has provided the following information about the
vulnerabilities:
"* CVE-2016-2054: Buffer overflow in xymond handling of "config"
command: The xymond daemon performs an unchecked copying of a
user-supplied filename to a fixed-size buffer when handling a
"config" command. This may be used to trigger a buffer overflow in
xymond, possibly resulting in remote code execution and/or denial of
service of the Xymon monitoring system. This code will run with the
privileges of the xymon userid.
This bug may be triggered by anyone with network access to the
xymond service on port 1984, unless access has been restricted with
the "--status-senders" option (a non-default configuration).
This bug has been patched in Xymon 4.3.25.
* CVE-2016-2055: Access to possibly confidential files in the Xymon
configuration directory: The xymond daemon will allow anyone with
network access to the xymond network port (1984) to download
configuration files in the Xymon "etc" directory. In a default
installation, the Apache htaccess file "xymonpasswd" controlling
access to the administrator webpages is installed in this directory
and is therefore available for download. The passwords in the file
are hashed, but may then be brute-forced off-line.
This bug may be triggered by anyone with network access to the
xymond service on port 1984, unless access has been restricted with
the "--status-senders" option (a non-default configuration).
Administrators of existing installations should ensure that the
xymonpasswd file is not readable by the userid running the xymond
daemon. Permissions should be: Owner=webserver UID, group=webserver
GID, mode rw-rw--- (600). This will be the default configuration
starting with Xymon 4.3.25. In addition, the "config" command will
only allow access to regular files. By default, only files ending in
".cfg" may be directly retrieved, although this can be overridden by
the administrator, and config files may include other files and
directories using existing directives.
Alternatively, the file may be moved to a location outside the Xymon
configuration directory. The Xymon cgioptions.cfg file must then be
edited so CGI_USERADM_OPTS and CGI_CHPASSWD_OPTS include
"--passwdfile=FILENAME".
* CVE-2016-2056: Shell command injection in the "useradm" and
"chpasswd" web applications: The useradm and chpasswd web
applications may be used to administer passwords for user
authentication in Xymon, acting as a web frontend to the Apache
"htpasswd" application. The htpasswd command is invoked via a shell
command, and it is therefore possible to inject arbitrary commands
and have them executed with the privileges of the webserver (CGI)
user.
This bug can only be triggered by web users with access to the Xymon
webpages, who are already authenticated as Xymon users. However,
when combined with CVE-2016-xxxx which allows for off-line cracking
of password hashes, this bug may be exploitable by others.
This bug has been patched in Xymon 4.3.25.
* CVE-2016-2057: Incorrect permissions on IPC queues used by the
xymond daemon can bypass IP access filtering: An IPC message queue
used by the xymon daemon is created with world-write permissions,
allowing a local user on the Xymon master server to inject all types
of messages into Xymon, bypassing any IP-based access controls.
Exploitation of this bug requires local access to the Xymon master
server.
This bug has been patched in Xymon 4.3.25.
* CVE-2016-2058: Javascript injection in "detailed status webpage"
of monitoring items: A status-message sent from a Xymon client may
contain any data, including HTML, which will be included on the
"detailed status" page available via the Xymon status webinterface.
A malicious user may send a status message containing custom
Javascript code, which will then be rendered in the browser of the
user viewing the status page.
Exploitation of this bug requires that you can control the contents
of a status message sent to Xymon, which is possible if you control
one of the servers monitored by Xymon, or the Xymon master server.
Also, the bug requires a user to actually view the "detailed status"
webpage.
This bug has been patched in Xymon 4.3.25 by including a
"Content-Security-Policy" HTTP header in the response sent to the
browser. This means that older browsers may still be vulnerable to
this issue.
* CVE-2016-2058: XSS vulnerability via malformed acknowledgment
messages: (Note that this uses the same CVE id as the Javascript
injection issue) The message sent by a user to indicate
acknowledgment of an alert is not HTML-escaped before being
displayed on the status webpage, which may be used to trigger a
cross-site scripting vulnerability.
Exploitation of this bug requires that the attacker is able to
acknowledge an alert status. This requires user-authenticated access
to the Xymon webpages, or that the user receives a message (usually
via e-mail) containing the authentication token for the
acknowledgment.
This bug has been patched in Xymon 4.3.25." [1]
MITIGATION
The vendor recommends updating to the latest version. [1]
REFERENCES
[1] [Xymon] Xymon 4.3.25 - Important Security Update
http://lists.xymon.com/pipermail/xymon/2016-February/042986.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVr1Wj36ZAP0PgtI9AQJtEQ/+I8zdIqDw88raRgYqhGTcTTyPYLJ63J79
JO5J5QD8MKEXft+I5nOoc9bpLuiH3d/6xtuFqcr+tROO/LKZRZiDYc9zq3ukJBzw
8tl6ccovmr84eJWqsQk1A7GsG7HR1ackYCw5wcKMECrOIIpy8RSA2y1g2ArN8W3A
hAzcYiWNsyclYuPMCftOXp3nt7be24fUg3j2vSnZnkJTys0StpRotWpARkMr+Z5A
jSmZy+vsW6VL8/KiEyODoJnlj3W9C/6XNF8l10P4zdkdb9Dq9yUm8GtR15AsQ61+
sZz+ZMk6mafSte4CheufFU3UcP8b9xOyrW7bs5vY4czl+i5WS+IL3dsxgH5AzRAc
RkL3czypueBjlupWXUx5sDvKbAoUnYf0xKGNzMGbSdIXbACjpWdrLZdCOhsWgUU2
DPOfGK1w0gYO5NmIv3lRTSUwTp0lpRNJoIa8BewY2mB2CHuHCu4Ffh0+cRKA5PMf
p7ntfSbqBuCP8b7Y8Sc/yiMDzo8PBE1LeLkiwSt6g5ATToTL7pmAIr830KHFhjBH
vFYI1q+D1tQPfaobLn63CfPRMPPNcX/656W/FaIHpKrCRbnnZTP/ZoMCGKb5LHyZ
bK2TfvzHFf1CLZcB0JYfnrULQc1wDyFEBFTwAvyHyVfju9JkPiSPDLrfB4b+rKt9
BrzLCaBHvz8=
=Ix2o
-----END PGP SIGNATURE-----