Re: CVE request: unauthorized host/service views displayed in servicegroup view

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/26/2013 01:42 PM, Kurt Seifried wrote:
> On 06/26/2013 12:36 PM, Vincent Danen wrote:
> > I don't believe a CVE has been assigned to this issue yet.
>
> > It was reported that Nagios 3.4.4 at least, and possibly earlier
> >  versions, would allow users with access to Nagios to obtain
> > full access to the servicegroup overview, even if they are not 
> > authorized to view all of the systems (not configured for this 
> > ability in the authorized_for_* configuration option).  This 
> > includes the servicegroup overview, summary, and grid.
>
> > Provided the user has access to view some services, they will be 
> > able to see all services (including those they should not see). 
> > Note that the user in question must have access to some services 
> > and must have access to Nagios to begin with.
>
> > This has not yet been corrected upstream.
>
> > References:
>
> > http://www.mail-archive.com/nagios-users () lists sourceforge net/msg39749.html
>
> >  http://tracker.nagios.org/view.php?id=456 
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714171 
> > https://bugzilla.redhat.com/show_bug.cgi?id=978531
>
>
> > Thanks.
>
> Please use CVE-2013-2214 for this issue.

It appears there are may be some problems with this issue, potentially
this may have been a bad configuration and not a source code based
problem, however we haven't been able to confirm it yet. I've also not
been able to contact upstream about this easily (no security@ address,
if anyone know whom to forward this to, please let me know, thanks.



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR2wHiAAoJEBYNRVNeJnmTs/0QAMMyuwkHenEjvSiMEOdT/tbD
Mitf+HiLRLntvjW1EXhebWxgiv6xWpRS76pN+sHrzFGPIq0rgvWYKVEl8RCBQRAw
SJcXtsBmFYuIJurQclNXd/IzGrM8mUGZoNp/9Pfe/WT+gWdlDO0bnIdnRIDF03QD
4AOsVpdWcXBjFgdAky01fJxQUUIi5VZAa3HrEDHrr/Fb4RZcaFo2zXPfMI/4075v
LJZ6LZkCx/TdzS8X9KeKk/pZ1xjtuuB+f4AS7NOK870wX4KTbnswb8AWxGy83njJ
F2feI/GGhSUGVmis6ga2s7VnaeksofPBPnOQStUmWDVpXfWxyjaAqs1+GYL6I/y8
rMc5/6k+fsoSSUcG2lVgekc4fonWG9n+/dC6tWNZ50miwK3gfqonAIg+OzClk9wz
t4SVpoaRts8rKpgx1K9AoUU4Oupwi3OZgmYmo89rgQlA40Fyozq7+kNoqv2r2UNb
ZiYY+aPNrPpmQPdZtjqizvow1i4RDcJ6ACYApw3f6ukjvK8BHUWTr4YERjOIRESK
w4oTgurswASOBif1LlKbIKwzbqZQr8e9nlRlpr5o74T7mwuWY26ZGawvY59jj+T6
ehu+j/4/oqr6oXuv8a+QWczqE/784jOaIGbDJ5HUuEcNyL8IA5NR39m9W0cfb+g4
duXD5YZitwgywViO2C75
=P9k9
-----END PGP SIGNATURE-----