[Xymon] Xymon 4.3.25 - Important Security Update

Jeremy Laidman jlaidman at rebel-it.com.au
Mon Feb 8 21:29:20 CET 2016


JC

Reporting some typos, in case you're republishing these notes:

"However, when combined with CVE-2016-xxxx" needs the xxxx updated.

"mode rw-rw--- (600)" should be 660.

Cheers
Jeremy

On Tue, 9 Feb 2016 07:06 J.C. Cleaver <cleaver at terabithia.org> wrote:

> Hello all,
>
>
> Xymon 4.3.25 has been released and is now available for download at
> https://sourceforge.net/projects/xymon/
>
>
> Version 4.3.25 includes fixes for several security issues in the server
> component of the Xymon monitoring system, which are further detailed
> below. In addition, there are several other feature additions, and several
> bug fixes and reliability improvements.
>
> Full release notes and a Changelog are available at
> https://sourceforge.net/projects/xymon/files/Xymon/4.3.25/
>
> These issues affect all versions of Xymon 4.3.x prior to 4.3.25, as well
> as the obsolete 4.1.x and 4.2.x versions. All Xymon users are strongly
> encouraged to upgrade their server component.
>
>
> We would like to greatly thank Markus Krell for his responsible reporting
> of these issues and for his assistance in testing their resolution.
>
>
> And as always, thank you to everyone who has contributed code or submitted
> feature suggestions or bug reports to the Xymon project.
>
>
> Regards,
>
> Japheth "J.C." Cleaver
> Xymon 4.x Maintainer
>
>
>
> * CVE-2016-2054: Buffer overflow in xymond handling of "config" command:
> The xymond daemon performs an unchecked copying of a user-supplied
> filename to a fixed-size buffer when handling a "config" command. This
> may be used to trigger a buffer overflow in xymond, possibly resulting
> in remote code execution and/or denial of service of the Xymon
> monitoring system. This code will run with the privileges of the xymon
> userid.
>
> This bug may be triggered by anyone with network access to the xymond
> service on port 1984, unless access has been restricted with the
> "--status-senders" option (a non-default configuration).
>
> This bug has been patched in Xymon 4.3.25.
>
>
> * CVE-2016-2055: Access to possibly confidential files in the Xymon
> configuration directory:
> The xymond daemon will allow anyone with network access to the xymond
> network port (1984)  to download configuration files in the Xymon "etc"
> directory. In a default installation, the Apache htaccess file
> "xymonpasswd" controlling access to the administrator webpages is
> installed in this directory and is therefore available for download. The
> passwords in the file are hashed, but may then be brute-forced off-line.
>
> This bug may be triggered by anyone with network access to the xymond
> service on port 1984, unless access has been restricted with the
> "--status-senders" option (a non-default configuration).
>
> Administrators of existing installations should ensure that the
> xymonpasswd file is not readable by the userid running the xymond
> daemon. Permissions should be: Owner=webserver UID, group=webserver GID,
> mode rw-rw--- (600). This will be the default configuration starting
> with Xymon 4.3.25. In addition, the "config" command will only allow
> access to regular files. By default, only files ending in ".cfg" may be
> directly retrieved, although this can be overridden by the administrator,
> and config files may include other files and directories using existing
> directives.
>
> Alternatively, the file may be moved to a location outside the Xymon
> configuration directory. The Xymon cgioptions.cfg file must then be
> edited so CGI_USERADM_OPTS and CGI_CHPASSWD_OPTS include
> "--passwdfile=FILENAME".
>
>
> * CVE-2016-2056: Shell command injection in the "useradm" and "chpasswd"
> web applications:
> The useradm and chpasswd web applications may be used to administer
> passwords for user authentication in Xymon, acting as a web frontend to
> the Apache "htpasswd" application. The htpasswd command is invoked via a
> shell command, and it is therefore possible to inject arbitrary commands
> and have them executed with the privileges of the webserver (CGI) user.
>
> This bug can only be triggered by web users with access to the Xymon
> webpages, who are already authenticated as Xymon users. However, when
> combined with CVE-2016-xxxx which allows for off-line cracking of
> password hashes, this bug may be exploitable by others.
>
> This bug has been patched in Xymon 4.3.25.
>
>
> * CVE-2016-2057: Incorrect permissions on IPC queues used by the xymond
> daemon can bypass IP access filtering:
> An IPC message queue used by the xymon daemon is created with
> world-write permissions, allowing a local user on the Xymon master
> server to inject all types of messages into Xymon, bypassing any
> IP-based access controls.
>
> Exploitation of this bug requires local access to the Xymon master server.
>
> This bug has been patched in Xymon 4.3.25.
>
>
> * CVE-2016-2058: Javascript injection in "detailed status webpage" of
> monitoring items:
> A status-message sent from a Xymon client may contain any data,
> including HTML, which will be included on the "detailed status" page
> available via the Xymon status webinterface. A malicious user may send a
> status message containing custom Javascript code, which will then be
> rendered in the browser of the user viewing the status page.
>
> Exploitation of this bug requires that you can control the contents of a
> status message sent to Xymon, which is possible if you control one of
> the servers monitored by Xymon, or the Xymon master server. Also, the
> bug requires a user to actually view the "detailed status" webpage.
>
> This bug has been patched in Xymon 4.3.25 by including a
> "Content-Security-Policy" HTTP header in the response sent to the
> browser. This means that older browsers may still be vulnerable to this
> issue.
>
>
> * CVE-2016-2058: XSS vulnerability via malformed acknowledgment messages:
> (Note that this uses the same CVE id as the Javascript injection issue)
> The message sent by a user to indicate acknowledgment of an alert is not
> HTML-escaped before being displayed on the status webpage, which may be
> used to trigger a cross-site scripting vulnerability.
>
> Exploitation of this bug requires that the attacker is able to
> acknowledge an alert status. This requires user-authenticated access to
> the Xymon webpages, or that the user receives a message (usually via
> e-mail) containing the authentication token for the acknowledgment.
>
> This bug has been patched in Xymon 4.3.25.
>
>
>
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20160208/f89b9c53/attachment.html>


More information about the Xymon mailing list