Hash: SHA1

                         AUSCERT Security Bulletin

         A number of vulnerabilities have been identified in Xymon
                             12 February 2016


        AusCERT Security Bulletin Summary

Product:              Xymon
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                      Denial of Service               -- Remote/Unauthenticated      
                      Cross-site Scripting            -- Remote with User Interaction
                      Access Confidential Data        -- Remote/Unauthenticated      
Resolution:           Patch/Upgrade
CVE Names:            CVE-2016-2058 CVE-2016-2057 CVE-2016-2056
                      CVE-2016-2055 CVE-2016-2054 
Member content until: Sunday, March 13 2016


        A number of vulnerabilities have been identified in all versions of
        Xymon 4.3.x prior to 4.3.25, as well as the obsolete 4.1.x and 4.2.x
        versions. [1]


        The vendor has provided the following information about the 
        "* CVE-2016-2054: Buffer overflow in xymond handling of "config" 
        command: The xymond daemon performs an unchecked copying of a 
        user-supplied filename to a fixed-size buffer when handling a 
        "config" command. This may be used to trigger a buffer overflow in 
        xymond, possibly resulting in remote code execution and/or denial of
        service of the Xymon monitoring system. This code will run with the
        privileges of the xymon userid.
        This bug may be triggered by anyone with network access to the 
        xymond service on port 1984, unless access has been restricted with
        the "--status-senders" option (a non-default configuration).
        This bug has been patched in Xymon 4.3.25.
        * CVE-2016-2055: Access to possibly confidential files in the Xymon
        configuration directory: The xymond daemon will allow anyone with 
        network access to the xymond network port (1984) to download 
        configuration files in the Xymon "etc" directory. In a default 
        installation, the Apache htaccess file "xymonpasswd" controlling 
        access to the administrator webpages is installed in this directory
        and is therefore available for download. The passwords in the file 
        are hashed, but may then be brute-forced off-line.
        This bug may be triggered by anyone with network access to the 
        xymond service on port 1984, unless access has been restricted with
        the "--status-senders" option (a non-default configuration).
        Administrators of existing installations should ensure that the 
        xymonpasswd file is not readable by the userid running the xymond 
        daemon. Permissions should be: Owner=webserver UID, group=webserver
        GID, mode rw-rw--- (600). This will be the default configuration 
        starting with Xymon 4.3.25. In addition, the "config" command will 
        only allow access to regular files. By default, only files ending in
        ".cfg" may be directly retrieved, although this can be overridden by
        the administrator, and config files may include other files and 
        directories using existing directives.
        Alternatively, the file may be moved to a location outside the Xymon
        configuration directory. The Xymon cgioptions.cfg file must then be
        edited so CGI_USERADM_OPTS and CGI_CHPASSWD_OPTS include 
        * CVE-2016-2056: Shell command injection in the "useradm" and 
        "chpasswd" web applications: The useradm and chpasswd web 
        applications may be used to administer passwords for user 
        authentication in Xymon, acting as a web frontend to the Apache 
        "htpasswd" application. The htpasswd command is invoked via a shell
        command, and it is therefore possible to inject arbitrary commands 
        and have them executed with the privileges of the webserver (CGI) 
        This bug can only be triggered by web users with access to the Xymon
        webpages, who are already authenticated as Xymon users. However, 
        when combined with CVE-2016-xxxx which allows for off-line cracking
        of password hashes, this bug may be exploitable by others.
        This bug has been patched in Xymon 4.3.25.
        * CVE-2016-2057: Incorrect permissions on IPC queues used by the 
        xymond daemon can bypass IP access filtering: An IPC message queue 
        used by the xymon daemon is created with world-write permissions, 
        allowing a local user on the Xymon master server to inject all types
        of messages into Xymon, bypassing any IP-based access controls.
        Exploitation of this bug requires local access to the Xymon master 
        This bug has been patched in Xymon 4.3.25.
        * CVE-2016-2058: Javascript injection in "detailed status webpage" 
        of monitoring items: A status-message sent from a Xymon client may 
        contain any data, including HTML, which will be included on the 
        "detailed status" page available via the Xymon status webinterface.
        A malicious user may send a status message containing custom 
        Javascript code, which will then be rendered in the browser of the 
        user viewing the status page.
        Exploitation of this bug requires that you can control the contents
        of a status message sent to Xymon, which is possible if you control
        one of the servers monitored by Xymon, or the Xymon master server. 
        Also, the bug requires a user to actually view the "detailed status"
        This bug has been patched in Xymon 4.3.25 by including a 
        "Content-Security-Policy" HTTP header in the response sent to the 
        browser. This means that older browsers may still be vulnerable to 
        this issue.
        * CVE-2016-2058: XSS vulnerability via malformed acknowledgment 
        messages: (Note that this uses the same CVE id as the Javascript 
        injection issue) The message sent by a user to indicate 
        acknowledgment of an alert is not HTML-escaped before being 
        displayed on the status webpage, which may be used to trigger a 
        cross-site scripting vulnerability.
        Exploitation of this bug requires that the attacker is able to 
        acknowledge an alert status. This requires user-authenticated access
        to the Xymon webpages, or that the user receives a message (usually
        via e-mail) containing the authentication token for the 
        This bug has been patched in Xymon 4.3.25." [1]


        The vendor recommends updating to the latest version. [1]


        [1] [Xymon] Xymon 4.3.25 - Important Security Update

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967