Deutsche Telekom CERT Advisory [DTC-A-20140324-003] Summary: Two vulnerabilities were found in icinga version 1.9.1.=20 These vulnerabilities are: 1) several buffer overflows 2) Off-by-one memory access Recommendations: Updates available and need to be installed: - Icinga 1.10.2 Bug Fix Release - Icinga 1.9.4=20 - Icinga 1.8.5 Homepage: https://www.icinga.org/ Details: a) application b) problem c) CVSS d) detailed description ---------------------------------------------------------------------------= ---------------------------------------------------------------------------= ------------------------------ a1) Icinga 1.9.1 b1) Buffer Overflow [CVE-2013-7106] c1) 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C=20 d1) The icinga web gui is susceptible to several buffer overflow flaws, whi= ch can be triggered as a logged on user. A remote attacker may utilize a CS= RF (cross site request forgery) attack vector against a logged in user to e= xploit this flaw remotely. Depending on the target system, this may result = in code execution and eventually full compromise of the icinga server.=20 ---------------------------------------------------------------------------= ---------------------------------------------------------------------------= ------------------------------ a2) Icinga 1.9.1 [CVE-2013-7108] b2) Off-by-one memory access c2) 4.9 AV:N/AC:M/Au:S/C:P/I:N/A:P d2) The icinga and nagios web gui are susceptible to an "off-by-one read" e= rror, which is resulting from an improper assumption in the handling of use= r submitted CGI parameters. To prevent buffer overflow attacks against the = web gui, icinga/nagios checks for valid string length of user submitted par= ameters. Any parameter, which is bigger than MAX_INPUT_BUFFER-1 characters = long will be discarded. However, by sending a specially crafted cgi paramet= er, the check routine can be forced to skip the terminating null pointer an= d read the heap address right after the end of the parameter list. Dependin= g on the memory layout, this may result in a memory corruption condition/cr= ash or reading of sensitive memory locations. Deutsche Telekom CERT Landgrabenweg 151, 53227 Bonn, Germany +49 800 DTAG CERT (Tel.) E-Mail: cert@telekom.de Life is for sharing. =20 Deutsche Telekom AG Supervisory Board: Prof. Dr. Ulrich Lehner (Chairman) Board of Management: Timotheus H=F6ttges (Chairman), Dr. Thomas Kremer, Reinhard Clemens, Niek Jan van Damme, Thomas Dannenfeldt, Claudia Nemat, Prof. Dr. Marion Schick Commercial register: Amtsgericht Bonn HRB 6794 Registered office: Bonn =20 Big changes start small =96 conserve resources by not printing every e-mail= ..=