LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: July 28th, 2014
Linux Advisory Watch: July 25th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Ubuntu: Nagios vulnerabilities Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Ubuntu It was discovered that Nagios was vulnerable to a Cross-site request forgery (CSRF) vulnerability. If an authenticated nagios user were tricked into clicking a link on a specially crafted web page, an attacker could trigger commands to be processed by Nagios and execute arbitrary programs. This update alters Nagios behaviour by disabling submission of CMD_CHANGE commands. (CVE-2008-5028)
===========================================================
Ubuntu Security Notice USN-698-3          December 23, 2008
nagios2 vulnerabilities
CVE-2008-5027, CVE-2008-5028
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  nagios2                         2.11-1ubuntu1.4

After a standard system upgrade you need to restart Nagios to effect
the necessary changes.

Details follow:

It was discovered that Nagios was vulnerable to a Cross-site request forgery
(CSRF) vulnerability. If an authenticated nagios user were tricked into
clicking a link on a specially crafted web page, an attacker could trigger
commands to be processed by Nagios and execute arbitrary programs. This
update alters Nagios behaviour by disabling submission of CMD_CHANGE commands.
(CVE-2008-5028)

It was discovered that Nagios did not properly parse commands submitted using
the web interface. An authenticated user could use a custom form or a browser
addon to bypass security restrictions and submit unauthorized commands.
(CVE-2008-5027)


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/universe/n/nagios2/nagios2_2.11-1ubuntu1.4.diff.gz
      Size/MD5:    37439 1e9c238bb21704f42d6275c31cf99108
    http://security.ubuntu.com/ubuntu/pool/universe/n/nagios2/nagios2_2.11-1ubuntu1.4.dsc
      Size/MD5:     1174 99b9d7ca524be867d538f8f39d52f0cf
    http://security.ubuntu.com/ubuntu/pool/universe/n/nagios2/nagios2_2.11.orig.tar.gz
      Size/MD5:  1741962 058c1f4829de748b42da1b584cccc941

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/n/nagios2/nagios2-common_2.11-1ubuntu1.4_all.deb
      Size/MD5:    61506 c4f5c96b1c8be0e58c362eb005efba9c
    http://security.ubuntu.com/ubuntu/pool/universe/n/nagios2/nagios2-doc_2.11-1ubuntu1.4_all.deb
      Size/MD5:  1135002 0515ced55e66978706203bdac4055b39

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/universe/n/nagios2/nagios2-dbg_2.11-1ubuntu1.4_amd64.deb
      Size/MD5:  1640150 d23994c62750473a55138f10935318b6
    http://security.ubuntu.com/ubuntu/pool/universe/n/nagios2/nagios2_2.11-1ubuntu1.4_amd64.deb
      Size/MD5:  1106218 d2ca0e16009ae6738cae6efd29f243df

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/universe/n/nagios2/nagios2-dbg_2.11-1ubuntu1.4_i386.deb
      Size/MD5:  1552138 4a165fc1202e3dcc4c7af4eeaa8f14cb
    http://security.ubuntu.com/ubuntu/pool/universe/n/nagios2/nagios2_2.11-1ubuntu1.4_i386.deb
      Size/MD5:   987174 73ba6b8faef90259a965ad3c2aee176e

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/universe/n/nagios2/nagios2-dbg_2.11-1ubuntu1.4_lpia.deb
      Size/MD5:  1586750 161d8bbc1d2f8251aa0888c326152763
    http://ports.ubuntu.com/pool/universe/n/nagios2/nagios2_2.11-1ubuntu1.4_lpia.deb
      Size/MD5:   999124 984199f0814041fb1d3be332c78a1084

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/universe/n/nagios2/nagios2-dbg_2.11-1ubuntu1.4_powerpc.deb
      Size/MD5:  1609376 fc3975c98bf065371fd8a0230d1007c5
    http://ports.ubuntu.com/pool/universe/n/nagios2/nagios2_2.11-1ubuntu1.4_powerpc.deb
      Size/MD5:  1109530 a5e36a48935587ccfc565376a5ea58fa

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/universe/n/nagios2/nagios2-dbg_2.11-1ubuntu1.4_sparc.deb
      Size/MD5:  1448326 2fc971f58d9891abd1d2babe018742ef
    http://ports.ubuntu.com/pool/universe/n/nagios2/nagios2_2.11-1ubuntu1.4_sparc.deb
      Size/MD5:   989588 158c615af339c126f07fcc8b3e05480a



 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
DARPA-derived secure microkernel goes open source tomorrow
Hacker Gary McKinnon turns into a search expert
Hackers seed Amazon cloud with potent denial-of-service bots
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.