[Xymon] Xymon 4.3.25 - Important Security Update

Ryan Novosielski novosirj at ca.rutgers.edu
Tue Feb 9 22:27:25 CET 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/08/2016 03:06 PM, J.C. Cleaver wrote:
> Hello all,
> 
> 
> Xymon 4.3.25 has been released and is now available for download
> at https://sourceforge.net/projects/xymon/
> 
> 
> Version 4.3.25 includes fixes for several security issues in the
> server component of the Xymon monitoring system, which are further
> detailed below. In addition, there are several other feature
> additions, and several bug fixes and reliability improvements.
> 
> Full release notes and a Changelog are available at 
> https://sourceforge.net/projects/xymon/files/Xymon/4.3.25/
> 
> These issues affect all versions of Xymon 4.3.x prior to 4.3.25, as
> well as the obsolete 4.1.x and 4.2.x versions. All Xymon users are
> strongly encouraged to upgrade their server component.
> 
> 
> We would like to greatly thank Markus Krell for his responsible
> reporting of these issues and for his assistance in testing their
> resolution.
> 
> 
> And as always, thank you to everyone who has contributed code or
> submitted feature suggestions or bug reports to the Xymon project.
> 
> 
> Regards,
> 
> Japheth "J.C." Cleaver Xymon 4.x Maintainer
> 
> 
> 
> * CVE-2016-2054: Buffer overflow in xymond handling of "config"
> command: The xymond daemon performs an unchecked copying of a
> user-supplied filename to a fixed-size buffer when handling a
> "config" command. This may be used to trigger a buffer overflow in
> xymond, possibly resulting in remote code execution and/or denial
> of service of the Xymon monitoring system. This code will run with
> the privileges of the xymon userid.
> 
> This bug may be triggered by anyone with network access to the
> xymond service on port 1984, unless access has been restricted with
> the "--status-senders" option (a non-default configuration).
> 
> This bug has been patched in Xymon 4.3.25.
> 
> 
> * CVE-2016-2055: Access to possibly confidential files in the
> Xymon configuration directory: The xymond daemon will allow anyone
> with network access to the xymond network port (1984)  to download
> configuration files in the Xymon "etc" directory. In a default
> installation, the Apache htaccess file "xymonpasswd" controlling
> access to the administrator webpages is installed in this directory
> and is therefore available for download. The passwords in the file
> are hashed, but may then be brute-forced off-line.
> 
> This bug may be triggered by anyone with network access to the
> xymond service on port 1984, unless access has been restricted with
> the "--status-senders" option (a non-default configuration).
> 
> Administrators of existing installations should ensure that the 
> xymonpasswd file is not readable by the userid running the xymond 
> daemon. Permissions should be: Owner=webserver UID, group=webserver
> GID, mode rw-rw--- (600). This will be the default configuration
> starting with Xymon 4.3.25. In addition, the "config" command will
> only allow access to regular files. By default, only files ending
> in ".cfg" may be directly retrieved, although this can be
> overridden by the administrator, and config files may include other
> files and directories using existing directives.
> 
> Alternatively, the file may be moved to a location outside the
> Xymon configuration directory. The Xymon cgioptions.cfg file must
> then be edited so CGI_USERADM_OPTS and CGI_CHPASSWD_OPTS include 
> "--passwdfile=FILENAME".
> 
> 
> * CVE-2016-2056: Shell command injection in the "useradm" and
> "chpasswd" web applications: The useradm and chpasswd web
> applications may be used to administer passwords for user
> authentication in Xymon, acting as a web frontend to the Apache
> "htpasswd" application. The htpasswd command is invoked via a shell
> command, and it is therefore possible to inject arbitrary commands 
> and have them executed with the privileges of the webserver (CGI)
> user.
> 
> This bug can only be triggered by web users with access to the
> Xymon webpages, who are already authenticated as Xymon users.
> However, when combined with CVE-2016-xxxx which allows for off-line
> cracking of password hashes, this bug may be exploitable by
> others.
> 
> This bug has been patched in Xymon 4.3.25.
> 
> 
> * CVE-2016-2057: Incorrect permissions on IPC queues used by the
> xymond daemon can bypass IP access filtering: An IPC message queue
> used by the xymon daemon is created with world-write permissions,
> allowing a local user on the Xymon master server to inject all
> types of messages into Xymon, bypassing any IP-based access
> controls.
> 
> Exploitation of this bug requires local access to the Xymon master
> server.
> 
> This bug has been patched in Xymon 4.3.25.
> 
> 
> * CVE-2016-2058: Javascript injection in "detailed status webpage"
> of monitoring items: A status-message sent from a Xymon client may
> contain any data, including HTML, which will be included on the
> "detailed status" page available via the Xymon status webinterface.
> A malicious user may send a status message containing custom
> Javascript code, which will then be rendered in the browser of the
> user viewing the status page.
> 
> Exploitation of this bug requires that you can control the contents
> of a status message sent to Xymon, which is possible if you control
> one of the servers monitored by Xymon, or the Xymon master server.
> Also, the bug requires a user to actually view the "detailed
> status" webpage.
> 
> This bug has been patched in Xymon 4.3.25 by including a 
> "Content-Security-Policy" HTTP header in the response sent to the 
> browser. This means that older browsers may still be vulnerable to
> this issue.
> 
> 
> * CVE-2016-2058: XSS vulnerability via malformed acknowledgment
> messages: (Note that this uses the same CVE id as the Javascript
> injection issue) The message sent by a user to indicate
> acknowledgment of an alert is not HTML-escaped before being
> displayed on the status webpage, which may be used to trigger a
> cross-site scripting vulnerability.
> 
> Exploitation of this bug requires that the attacker is able to 
> acknowledge an alert status. This requires user-authenticated
> access to the Xymon webpages, or that the user receives a message
> (usually via e-mail) containing the authentication token for the
> acknowledgment.
> 
> This bug has been patched in Xymon 4.3.25.

Am I right that:

A) The critical component to upgrade here is the server running the
Xymon display (less so the xymonnnet machines, if any) and...
B) A Xymon 4.3.12 xymonnet machine will operate correctly with a Xymon
4.3.25 server that is receiving the status messages and generating the
web pages?

- -- 
____ *Note: UMDNJ is now Rutgers-Biomedical and Health Sciences*
|| \\UTGERS      |---------------------*O*---------------------
||_// Biomedical | Ryan Novosielski - Senior Technologist
|| \\ and Health | novosirj at rutgers.edu - 973/972.0922 (2x0922)
||  \\  Sciences | OIRT/High Perf & Res Comp - MSB C630, Newark
     `'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAla6Wb0ACgkQmb+gadEcsb7GegCgqX983qASNujrb8OW06n40Hl1
9qQAn2czgGOtofCytGWp9lqek36XRCBD
=eld7
-----END PGP SIGNATURE-----

More information about the Xymon mailing list