Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2016.0011 A number of vulnerabilities have been identified in Xymon 12 February 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xymon Operating System: UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-2058 CVE-2016-2057 CVE-2016-2056 CVE-2016-2055 CVE-2016-2054 Member content until: Sunday, March 13 2016 OVERVIEW A number of vulnerabilities have been identified in all versions of Xymon 4.3.x prior to 4.3.25, as well as the obsolete 4.1.x and 4.2.x versions. [1] IMPACT The vendor has provided the following information about the vulnerabilities: "* CVE-2016-2054: Buffer overflow in xymond handling of "config" command: The xymond daemon performs an unchecked copying of a user-supplied filename to a fixed-size buffer when handling a "config" command. This may be used to trigger a buffer overflow in xymond, possibly resulting in remote code execution and/or denial of service of the Xymon monitoring system. This code will run with the privileges of the xymon userid. This bug may be triggered by anyone with network access to the xymond service on port 1984, unless access has been restricted with the "--status-senders" option (a non-default configuration). This bug has been patched in Xymon 4.3.25. * CVE-2016-2055: Access to possibly confidential files in the Xymon configuration directory: The xymond daemon will allow anyone with network access to the xymond network port (1984) to download configuration files in the Xymon "etc" directory. In a default installation, the Apache htaccess file "xymonpasswd" controlling access to the administrator webpages is installed in this directory and is therefore available for download. The passwords in the file are hashed, but may then be brute-forced off-line. This bug may be triggered by anyone with network access to the xymond service on port 1984, unless access has been restricted with the "--status-senders" option (a non-default configuration). Administrators of existing installations should ensure that the xymonpasswd file is not readable by the userid running the xymond daemon. Permissions should be: Owner=webserver UID, group=webserver GID, mode rw-rw--- (600). This will be the default configuration starting with Xymon 4.3.25. In addition, the "config" command will only allow access to regular files. By default, only files ending in ".cfg" may be directly retrieved, although this can be overridden by the administrator, and config files may include other files and directories using existing directives. Alternatively, the file may be moved to a location outside the Xymon configuration directory. The Xymon cgioptions.cfg file must then be edited so CGI_USERADM_OPTS and CGI_CHPASSWD_OPTS include "--passwdfile=FILENAME". * CVE-2016-2056: Shell command injection in the "useradm" and "chpasswd" web applications: The useradm and chpasswd web applications may be used to administer passwords for user authentication in Xymon, acting as a web frontend to the Apache "htpasswd" application. The htpasswd command is invoked via a shell command, and it is therefore possible to inject arbitrary commands and have them executed with the privileges of the webserver (CGI) user. This bug can only be triggered by web users with access to the Xymon webpages, who are already authenticated as Xymon users. However, when combined with CVE-2016-xxxx which allows for off-line cracking of password hashes, this bug may be exploitable by others. This bug has been patched in Xymon 4.3.25. * CVE-2016-2057: Incorrect permissions on IPC queues used by the xymond daemon can bypass IP access filtering: An IPC message queue used by the xymon daemon is created with world-write permissions, allowing a local user on the Xymon master server to inject all types of messages into Xymon, bypassing any IP-based access controls. Exploitation of this bug requires local access to the Xymon master server. This bug has been patched in Xymon 4.3.25. * CVE-2016-2058: Javascript injection in "detailed status webpage" of monitoring items: A status-message sent from a Xymon client may contain any data, including HTML, which will be included on the "detailed status" page available via the Xymon status webinterface. A malicious user may send a status message containing custom Javascript code, which will then be rendered in the browser of the user viewing the status page. Exploitation of this bug requires that you can control the contents of a status message sent to Xymon, which is possible if you control one of the servers monitored by Xymon, or the Xymon master server. Also, the bug requires a user to actually view the "detailed status" webpage. This bug has been patched in Xymon 4.3.25 by including a "Content-Security-Policy" HTTP header in the response sent to the browser. This means that older browsers may still be vulnerable to this issue. * CVE-2016-2058: XSS vulnerability via malformed acknowledgment messages: (Note that this uses the same CVE id as the Javascript injection issue) The message sent by a user to indicate acknowledgment of an alert is not HTML-escaped before being displayed on the status webpage, which may be used to trigger a cross-site scripting vulnerability. Exploitation of this bug requires that the attacker is able to acknowledge an alert status. This requires user-authenticated access to the Xymon webpages, or that the user receives a message (usually via e-mail) containing the authentication token for the acknowledgment. This bug has been patched in Xymon 4.3.25." [1] MITIGATION The vendor recommends updating to the latest version. [1] REFERENCES [1] [Xymon] Xymon 4.3.25 - Important Security Update http://lists.xymon.com/pipermail/xymon/2016-February/042986.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVr1Wj36ZAP0PgtI9AQJtEQ/+I8zdIqDw88raRgYqhGTcTTyPYLJ63J79 JO5J5QD8MKEXft+I5nOoc9bpLuiH3d/6xtuFqcr+tROO/LKZRZiDYc9zq3ukJBzw 8tl6ccovmr84eJWqsQk1A7GsG7HR1ackYCw5wcKMECrOIIpy8RSA2y1g2ArN8W3A hAzcYiWNsyclYuPMCftOXp3nt7be24fUg3j2vSnZnkJTys0StpRotWpARkMr+Z5A jSmZy+vsW6VL8/KiEyODoJnlj3W9C/6XNF8l10P4zdkdb9Dq9yUm8GtR15AsQ61+ sZz+ZMk6mafSte4CheufFU3UcP8b9xOyrW7bs5vY4czl+i5WS+IL3dsxgH5AzRAc RkL3czypueBjlupWXUx5sDvKbAoUnYf0xKGNzMGbSdIXbACjpWdrLZdCOhsWgUU2 DPOfGK1w0gYO5NmIv3lRTSUwTp0lpRNJoIa8BewY2mB2CHuHCu4Ffh0+cRKA5PMf p7ntfSbqBuCP8b7Y8Sc/yiMDzo8PBE1LeLkiwSt6g5ATToTL7pmAIr830KHFhjBH vFYI1q+D1tQPfaobLn63CfPRMPPNcX/656W/FaIHpKrCRbnnZTP/ZoMCGKb5LHyZ bK2TfvzHFf1CLZcB0JYfnrULQc1wDyFEBFTwAvyHyVfju9JkPiSPDLrfB4b+rKt9 BrzLCaBHvz8= =Ix2o -----END PGP SIGNATURE-----