[Xymon] Xymon security concern raised

Sean MacGuire sean at maclawran.ca
Sat Dec 8 08:13:46 CET 2012 

Oddly enough, since writing BB in 1995, I've never seen this exploited.

I also don't think it could cause you to drop tests (or rrd data for
that matter).

I think the worst thing that could be done is to just put a
machine in 'maintenance mode' and then exploit it using a
rootkit or something which might essentially "turn off the
alarm".

To combat this I implemented a new BB message, bbcrypto - which
used a system of shared secrets on clients and servers - for Henrik
or anyone else that wants to code it, here's how it works:

1. If a "secret file" exists on the client for the server, then
    encrypt the file using the secret (in the file) via blowfish,
    then wrap it with the 'bbcrypto' keyword.

2. On the server side, if you see a 'bbcrypto' message, use the
    shared secret in the 'secret file' to decrypt the message, once
    decrypted, process it like a normal BB/Xymon message.

Just so people don't freak out :)


Shawn Heisey wrote:
> On 12/5/2012 1:38 PM, Novosielski, Ryan wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> My understanding is that it's fairly easy to do, also. I don't know if
>> having a proxy in between helps at all or any of that, but my
>> understanding is that what's sent is fairly simple and plain text (I
>> believe there's info about the protocol in the manual).
>>
>> That said, I'm not 100% sure what nefarious thing someone could do
>> with that information. I guess they could open the rlogin port or
>> something and then send a status message to indicate it's still closed?
> 
> Nefarious users can create false alarms that must be investigated.  They 
> can "drop" your host entries and therefore wipe out incredible amounts 
> of RRD graph history.  If you have tests with delayed notification, it 
> would be possible to prevent notifications on real alarm conditions.  
> There are probably other nasty things I haven't thought of.
> 
> Thanks,
> Shawn

-- 
Sean MacGuire                                 sean at maclawran.ca

Key West                                        +1 305 390 0888
The best way to predict the future is to invent it. -  Alan Kay

More information about the Xymon mailing list