閱讀文章 - 看板 Bugtraq - 批踢踢實業坊

發信人CERT@telekom.de,

看板Bugtraq

標題Deutsche Telekom CERT Advisory [DTC-A-20140324-004] nagios

發信站NCTU CS FreeBSD Server (Tue Mar 25 00:51:48 2014)

轉信站ptt!csnews.cs.nctu!news.cednctu!FreeBSD.cs.nctu!.POSTED!securityfocus.

Deutsche Telekom CERT Advisory [DTC-A-20140324-004] Summary: An Off-by-one memory access was found in the web gui of nagios. A patch was applied to the core master branch of nagios (http://sourceforge= ..net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/). This resolution is announced to be rolled into the 4.0.3 version of Nagios = Core once testing has been completed. There has been no feedback regarding the Version 3.5 branch of nagios, but = the current sources seem to indicate that the issue was patched in version = 3.5 as well. The issue should be fixed in the next release. Homepage: http://www.nagios.org/ Recommendations: Bug fixes in the source code available. Install updated packages as soon th= ese packages are available.=20 Details: a) application b) problem c) CVSS d) detailed description ---------------------------------------------------------------------------= ---------------------------------------------------------------------------= ------------------------------ a1) Nagios 3.5.0 [CVE-2013-7108] b1) Off-by-one memory access c1) 4.9 AV:N/AC:M/Au:S/C:P/I:N/A:P d1) The icinga and nagios web gui are susceptible to an "off-by-one read" e= rror, which is resulting from an improper assumption in the handling of use= r submitted CGI parameters. To prevent buffer overflow attacks against the = web gui, icinga/nagios checks for valid string length of user submitted par= ameters. Any parameter, which is bigger than MAX_INPUT_BUFFER-1 characters = long will be discarded. However, by sending a specially crafted cgi paramet= er, the check routine can be forced to skip the terminating null pointer an= d read the heap address right after the end of the parameter list. Dependin= g on the memory layout, this may result in a memory corruption condition/cr= ash or reading of sensitive memory locations. Deutsche Telekom CERT Landgrabenweg 151, 53227 Bonn, Germany +49 800 DTAG CERT (Tel.) E-Mail: cert@telekom.de Life is for sharing. =20 Deutsche Telekom AG Supervisory Board: Prof. Dr. Ulrich Lehner (Chairman) Board of Management: Timotheus H=F6ttges (Chairman), Dr. Thomas Kremer, Reinhard Clemens, Niek Jan van Damme, Thomas Dannenfeldt, Claudia Nemat, Prof. Dr. Marion Schick Commercial register: Amtsgericht Bonn HRB 6794 Registered office: Bonn =20 Big changes start small =96 conserve resources by not printing every e-mail= ..=