-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                       ESB-2008.1156 -- [UNIX/Linux]
                    Nagios and Nagios3 vulnerabilities
                             29 December 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              nagios
                      nagios2
                      nagios3
Publisher:            Ubuntu
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact:               Execute Arbitrary Code/Commands
                      Cross-site Request Forgery
                      Increased Privileges
Access:               Existing Account
CVE Names:            CVE-2008-5027 CVE-2008-5028

Original Bulletin:    http://www.ubuntu.com/usn/usn-698-1
                      http://www.ubuntu.com/usn/usn-698-2
                      http://www.ubuntu.com/usn/usn-698-3

Comment: Note this advisory contains three (3) Ubuntu security advisories.
         
         This advisory references vulnerabilities in products which run on 
         platforms other than Ubuntu. It is recommended that administrators 
         running nagios/nagios2/nagios3 check for an updated version of the 
         software for their operating system.

Revision History:     December 29 2008: Added USN-698-3 detailing the fix 
                                        in nagios2
                      December 23 2008: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

===========================================================
Ubuntu Security Notice USN-698-1          December 22, 2008
nagios vulnerability
CVE-2008-5027
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  nagios-common                   2:1.3-cvs.20050402-8ubuntu8

After a standard system upgrade you need to restart Nagios to effect
the necessary changes.

Details follow:

It was discovered that Nagios did not properly parse commands submitted using
the web interface. An authenticated user could use a custom form or a browser
addon to bypass security restrictions and submit unauthorized commands.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3-cvs.20050402-8ubuntu8.diff.gz
      Size/MD5:    70914 96d8036bdb33aadd3141715039c91b24
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3-cvs.20050402-8ubuntu8.dsc
      Size/MD5:      959 0393336015bf452f5dfeb74d75245311
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3-cvs.20050402.orig.tar.gz
      Size/MD5:  1621251 0f92b7b8e705411b7881d3650cbb5d56

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-common_1.3-cvs.20050402-8ubuntu8_all.deb
      Size/MD5:  1218132 d18e298ee16f4c6c6b7c5969c46044e6

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-cvs.20050402-8ubuntu8_amd64.deb
      Size/MD5:  1030206 085483fdefd0d7bc43e55dbc5be2bcd6
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-pgsql_1.3-cvs.20050402-8ubuntu8_amd64.deb
      Size/MD5:  1041656 09fc7bb2ff11062603680d09e290909b
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-text_1.3-cvs.20050402-8ubuntu8_amd64.deb
      Size/MD5:  1025618 61619d13effd9a4970486abf5933c756

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-cvs.20050402-8ubuntu8_i386.deb
      Size/MD5:   877846 544afaebec24e7e94d2ce1da3a89346c
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-pgsql_1.3-cvs.20050402-8ubuntu8_i386.deb
      Size/MD5:   886544 411d3ca5a204aa41a4a42ef6e5f56453
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-text_1.3-cvs.20050402-8ubuntu8_i386.deb
      Size/MD5:   872936 aa31f6d1fb8a081a206eae3d6bfb3dd6

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-cvs.20050402-8ubuntu8_powerpc.deb
      Size/MD5:  1015630 540a27062c7f8612b7f460b2bcfd93b9
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-pgsql_1.3-cvs.20050402-8ubuntu8_powerpc.deb
      Size/MD5:  1024374 47e0480006df0b20a83f67b56da7a9f8
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-text_1.3-cvs.20050402-8ubuntu8_powerpc.deb
      Size/MD5:   993324 03a67a7675075050a672a4c515e8e0c3

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-cvs.20050402-8ubuntu8_sparc.deb
      Size/MD5:   918810 7340348f043dd884c88bd016ee30e41d
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-pgsql_1.3-cvs.20050402-8ubuntu8_sparc.deb
      Size/MD5:   926172 e9ccf388b828a17e868807aa39cb5b51
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-text_1.3-cvs.20050402-8ubuntu8_sparc.deb
      Size/MD5:   917374 c88dec0d93f590f8a93ebbc701696f68

===========================================================
Ubuntu Security Notice USN-698-2          December 22, 2008
nagios3 vulnerabilities
CVE-2008-5027, CVE-2008-5028
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.10:
  nagios3                         3.0.2-1ubuntu1.1

After a standard system upgrade you need to restart Nagios to effect
the necessary changes.

Details follow:

It was discovered that Nagios was vulnerable to a Cross-site request forgery
(CSRF) vulnerability. If an authenticated nagios user were tricked into
clicking a link on a specially crafted web page, an attacker could trigger
commands to be processed by Nagios and execute arbitrary programs. This
update alters Nagios behaviour by disabling submission of CMD_CHANGE commands.
(CVE-2008-5028)

It was discovered that Nagios did not properly parse commands submitted using
the web interface. An authenticated user could use a custom form or a browser
addon to bypass security restrictions and submit unauthorized commands.
(CVE-2008-5027)


Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3_3.0.2-1ubuntu1.1.diff.gz
      Size/MD5:    38086 84020bf2660e52ef176a2274971e4c1b
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3_3.0.2-1ubuntu1.1.dsc
      Size/MD5:     1644 868828fdabd748689e35083aa052a483
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3_3.0.2.orig.tar.gz
      Size/MD5:  2759331 008d71aac08660bc007f7130ea82ab80

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3-common_3.0.2-1ubuntu1.1_all.deb
      Size/MD5:    72216 1cccb3e8640dbd2612caf7841ae1756b
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3-doc_3.0.2-1ubuntu1.1_all.deb
      Size/MD5:  2063224 9769666c13c1d886228f66ff40dc729a

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3-dbg_3.0.2-1ubuntu1.1_amd64.deb
      Size/MD5:  2660164 381e889f994b102f6e65acc67f032f7a
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3_3.0.2-1ubuntu1.1_amd64.deb
      Size/MD5:  1538712 8ce98eee89e13bc544180c73c9d24ba0

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3-dbg_3.0.2-1ubuntu1.1_i386.deb
      Size/MD5:  2429130 87889b6dc28b86c4aae3d0acdd9950e9
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3_3.0.2-1ubuntu1.1_i386.deb
      Size/MD5:  1387398 ec353697aced7539893ef9409d850120

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/n/nagios3/nagios3-dbg_3.0.2-1ubuntu1.1_lpia.deb
      Size/MD5:  2479724 433504296b1650a7d393ab28d9b264b7
    http://ports.ubuntu.com/pool/main/n/nagios3/nagios3_3.0.2-1ubuntu1.1_lpia.deb
      Size/MD5:  1376480 be232a1c16b5daff63b586f2cd66b9eb

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/n/nagios3/nagios3-dbg_3.0.2-1ubuntu1.1_powerpc.deb
      Size/MD5:  2630802 167b533ea10d8962df5bc5904133c067
    http://ports.ubuntu.com/pool/main/n/nagios3/nagios3_3.0.2-1ubuntu1.1_powerpc.deb
      Size/MD5:  1525154 0679044c20e6a53c9311f2670834035b

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/n/nagios3/nagios3-dbg_3.0.2-1ubuntu1.1_sparc.deb
      Size/MD5:  2327204 f40329c8a8216799a365d185bcc2a646
    http://ports.ubuntu.com/pool/main/n/nagios3/nagios3_3.0.2-1ubuntu1.1_sparc.deb
      Size/MD5:  1379752 04408878bff9de5f485c7da2c6ffde4d

===========================================================
Ubuntu Security Notice USN-698-3          December 23, 2008
nagios2 vulnerabilities
CVE-2008-5027, CVE-2008-5028
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  nagios2                         2.11-1ubuntu1.4

After a standard system upgrade you need to restart Nagios to effect
the necessary changes.

Details follow:

It was discovered that Nagios was vulnerable to a Cross-site request forgery
(CSRF) vulnerability. If an authenticated nagios user were tricked into
clicking a link on a specially crafted web page, an attacker could trigger
commands to be processed by Nagios and execute arbitrary programs. This
update alters Nagios behaviour by disabling submission of CMD_CHANGE commands.
(CVE-2008-5028)

It was discovered that Nagios did not properly parse commands submitted using
the web interface. An authenticated user could use a custom form or a browser
addon to bypass security restrictions and submit unauthorized commands.
(CVE-2008-5027)


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/universe/n/nagios2/nagios2_2.11-1ubuntu1.4.diff.gz
      Size/MD5:    37439 1e9c238bb21704f42d6275c31cf99108
    http://security.ubuntu.com/ubuntu/pool/universe/n/nagios2/nagios2_2.11-1ubuntu1.4.dsc
      Size/MD5:     1174 99b9d7ca524be867d538f8f39d52f0cf
    http://security.ubuntu.com/ubuntu/pool/universe/n/nagios2/nagios2_2.11.orig.tar.gz
      Size/MD5:  1741962 058c1f4829de748b42da1b584cccc941

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/n/nagios2/nagios2-common_2.11-1ubuntu1.4_all.deb
      Size/MD5:    61506 c4f5c96b1c8be0e58c362eb005efba9c
    http://security.ubuntu.com/ubuntu/pool/universe/n/nagios2/nagios2-doc_2.11-1ubuntu1.4_all.deb
      Size/MD5:  1135002 0515ced55e66978706203bdac4055b39

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/universe/n/nagios2/nagios2-dbg_2.11-1ubuntu1.4_amd64.deb
      Size/MD5:  1640150 d23994c62750473a55138f10935318b6
    http://security.ubuntu.com/ubuntu/pool/universe/n/nagios2/nagios2_2.11-1ubuntu1.4_amd64.deb
      Size/MD5:  1106218 d2ca0e16009ae6738cae6efd29f243df

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/universe/n/nagios2/nagios2-dbg_2.11-1ubuntu1.4_i386.deb
      Size/MD5:  1552138 4a165fc1202e3dcc4c7af4eeaa8f14cb
    http://security.ubuntu.com/ubuntu/pool/universe/n/nagios2/nagios2_2.11-1ubuntu1.4_i386.deb
      Size/MD5:   987174 73ba6b8faef90259a965ad3c2aee176e

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/universe/n/nagios2/nagios2-dbg_2.11-1ubuntu1.4_lpia.deb
      Size/MD5:  1586750 161d8bbc1d2f8251aa0888c326152763
    http://ports.ubuntu.com/pool/universe/n/nagios2/nagios2_2.11-1ubuntu1.4_lpia.deb
      Size/MD5:   999124 984199f0814041fb1d3be332c78a1084

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/universe/n/nagios2/nagios2-dbg_2.11-1ubuntu1.4_powerpc.deb
      Size/MD5:  1609376 fc3975c98bf065371fd8a0230d1007c5
    http://ports.ubuntu.com/pool/universe/n/nagios2/nagios2_2.11-1ubuntu1.4_powerpc.deb
      Size/MD5:  1109530 a5e36a48935587ccfc565376a5ea58fa

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/universe/n/nagios2/nagios2-dbg_2.11-1ubuntu1.4_sparc.deb
      Size/MD5:  1448326 2fc971f58d9891abd1d2babe018742ef
    http://ports.ubuntu.com/pool/universe/n/nagios2/nagios2_2.11-1ubuntu1.4_sparc.deb
      Size/MD5:   989588 158c615af339c126f07fcc8b3e05480a


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSVgj7ih9+71yA2DNAQIUugQAhGECKkvM2VdXTmE43ZIEWM+aWQuw1DZ8
hvRQwtMm72f3yDOjQpdr+A6JaVL0sb+xJLmQYj1UaxG+WJdrbgaUFZWF9un6aSxT
Uq+Di+LCfIzXcZUuqv2DGLJoJGCct873n8tcz9MUuEbhswpYUMzpqzPotkOTbsWE
S8xjL2aV1yk=
=lrF3
-----END PGP SIGNATURE-----