[Xymon] Xymon 4.3.29 Released - Important Security Update

Japheth Cleaver cleaver at terabithia.org
Thu Jul 25 03:46:51 CEST 2019

On 7/24/2019 6:54 AM, Axel Beckert wrote:
> Hi,
> On Tue, Jul 23, 2019 at 08:57:49AM -0700, Japheth Cleaver wrote:
>> Although some of these overflows are not exploitable, others, including an
>> XSS vulnerability are.
> [...
>>    CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473,
>>    CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486
> Can either you or Graham get a bit more into the details regarding the
> impact of any of these vulnerabilities — or point out a posting where
> they are explained in more detail? So far I wasn't able to dig up any
> posting or similar, e.g. by the Cambridge CSIRT or Graham.
> Currently the severity as well as the actual impact of these issues is
> quite unclear — also because the CVE-IDs all still say "RESERVED".
> 		Regards, Axel

CSIRT may still have a write-up pending on these, but it is believed 
that the only impact are segfaults when passed in invalid/overflow 
input. This is typically a hostsvc being parsed and assigned to a 
PATH_MAX-sized variable via sprintf rather than snprintf. The buffer 
overflow occurs, but it is not being passed unprocessed to a shell. In 
some cases passed parameters are passed through html quoting, thereby 
exceeding intended size through " " -> " " inflation, which leads 
to a buffer overflow when (unsafely) assigning to error output.

There was an initial concern about unparsed input being handed to 
xymongen during report generation, however this is passed as a single 
execv argument rather than via shell processing. This could lead to 
erroneous xymongen resource use by anyone with access to 
/xymon-seccgi/report.sh, however the same could be said for any 
(legitimate) access here.

The XSS (CVE-2019-13274) is trivially exploitable by attempting to pass 
javascript through the db parameter to csvinfo.sh.

Beyond the CVE's, we wanted to try to remove a large number of sprintf 
uses (especially in the web and lib code) to help potentially reduce 
future issues.


More information about the Xymon mailing list