oss-sec mailing list archives
Re: Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view)
From: Jonas Meurer <jonas () freesources org>
Date: Wed, 04 Sep 2013 13:45:33 +0200
Am 2013-09-04 11:03, schrieb Andreas Ericsson:
On 2013-09-04 10:31, Jonas Meurer wrote:Hey list and fellow Nagios developers,as you might have noticed, there's a discussion ongoing on oss-security[1]regarding bug report #456[2].I'm the one who discovered the described issue, and I still believe that it's a bug with security implications, even though not everyone seems tobe convinced. I'll try to give a brief description of the issue: The Nagios status.cgi (at all 3.4* and 4.0* versions I checked) leaks hostnames to unauthorized users as part of servicegroups. All ofservicegroup overview, summary and grid list each and every hostname that is part of a servicegroup, regardless whether the HTTP user is listed incontacts/contactgroups for this host. In my opinion this is a security issue - at least on multi-user (e.g. multi-customer) Nagios-setups. I guess that most ISPs which give their customers access to the Nagios CGIs don't want to provide a full list of monitored hosts to their customers as a side-effect.One reason for confusion is the following entry from Nagios3 changelog[3]:3.4.0 - 05/04/2012 ENHANCEMENTS [...] - Users can now see hostgroups and servicegroups that contain at least one host or service they are authorized for, instead of having to be authorized for them all (Ethan Galstad) The indisputable part of this change is, that users are allowed to see hostgroups and servicegroups with at least one authorized host or service. Unclear is, whether this means "group and all its group members", or "group and only authorized group members".It should mean "group and only authorized group members, except also hosts for services where one is authorized to see the service".
Ok, so if this was intended, then there indeed is a bug.
You can find my patch at the Nagios Issue Tracker.Ah, right. Care to provide a link? Mostly, I prefer to get patches to this mailing list, since I don't spend a lot of time hunting them down from the (underused) tracker.
Sure, my original mail already had it as footnote. Here you find patches for Nagios 3.4.4 and 4 (master from 26.06.2013): http://tracker.nagios.org/view.php?id=456
A comment about this issue by the Nagios Developers whould be highly appreciated. In case that the described (and critizised) behaviour of status.cgi is intended, the distribution security teams can move on.Well, it *was* by design, but now I'm changing the design. It's a good time for it, since 4.0 is about to come out. I think the security teams can move on and we'll consider this "changed" rather than "fixed" for 4.0, where we do some security tightening.
At least when I checked last (26.06.2013), Nagios 4 was still affected by the bug. Did you change the way status.cgi checks for authentication in the meantime? Kind regards, jonas
Current thread:
- Re: CVE request: unauthorized host/service views displayed in servicegroup view, (continued)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Vincent Danen (Aug 02)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Kurt Seifried (Aug 02)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Jonas Meurer (Aug 03)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Jonas Meurer (Aug 30)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Kurt Seifried (Sep 03)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Vincent Danen (Sep 03)
- Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jonas Meurer (Sep 04)
- Re: Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Andreas Ericsson (Sep 04)
- Re: [Nagios-devel] [oss-security] Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jochen Bern (Sep 04)
- Re: [Nagios-devel] [oss-security] Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Andreas Ericsson (Sep 04)
- Re: Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jonas Meurer (Sep 04)
- Re: Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jonas Meurer (Sep 04)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Vincent Danen (Aug 02)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Daniel Kahn Gillmor (Sep 04)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Vincent Danen (Sep 04)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view cve-assign (Sep 04)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Vincent Danen (Sep 04)
- Re: Re: CVE request: unauthorized host/service views displayed in servicegroup view Kurt Seifried (Sep 04)