Re: Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view)

[Jonas Meurer <jonas () freesources org>]

Am 2013-09-04 11:03, schrieb Andreas Ericsson:
> On 2013-09-04 10:31, Jonas Meurer wrote:
> > Hey list and fellow Nagios developers,
> >
> > as you might have noticed, there's a discussion ongoing on 
> > oss-security[1]
> > regarding bug report #456[2].
> >
> > I'm the one who discovered the described issue, and I still believe 
> > that
> > it's a bug with security implications, even though not everyone seems 
> > to
> > be convinced.
> >
> > I'll try to give a brief description of the issue:
> >
> > The Nagios status.cgi (at all 3.4* and 4.0* versions I checked) leaks
> > hostnames to unauthorized users as part of servicegroups. All of
> > servicegroup overview, summary and grid list each and every hostname 
> > that
> > is part of a servicegroup, regardless whether the HTTP user is listed 
> > in
> > contacts/contactgroups for this host.
> >
> > In my opinion this is a security issue - at least on multi-user (e.g.
> > multi-customer) Nagios-setups. I guess that most ISPs which give their
> > customers access to the Nagios CGIs don't want to provide a full list
> > of monitored hosts to their customers as a side-effect.
> >
> > One reason for confusion is the following entry from Nagios3 
> > changelog[3]:
> >
> > 3.4.0 - 05/04/2012
> > ENHANCEMENTS
> > [...]
> > - Users can now see hostgroups and servicegroups that contain at least
> >    one host or service they are authorized for, instead of having to
> >    be authorized for them all (Ethan Galstad)
> >
> >
> > The indisputable part of this change is, that users are allowed to see
> > hostgroups and servicegroups with at least one authorized host or
> > service. Unclear is, whether this means "group and all its group
> > members", or "group and only authorized group members".
>
> It should mean "group and only authorized group members, except also
> hosts for services where one is authorized to see the service".

Ok, so if this was intended, then there indeed is a bug.

> > You can find my patch at the Nagios Issue Tracker.
>
> Ah, right. Care to provide a link? Mostly, I prefer to get patches to
> this mailing list, since I don't spend a lot of time hunting them down
> from the (underused) tracker.

Sure, my original mail already had it as footnote. Here you find patches
for Nagios 3.4.4 and 4 (master from 26.06.2013):

http://tracker.nagios.org/view.php?id=456

> > A comment about this issue by the Nagios Developers whould be highly
> > appreciated. In case that the described (and critizised) behaviour of
> > status.cgi is intended, the distribution security teams can move on.
>
> Well, it *was* by design, but now I'm changing the design. It's a good
> time for it, since 4.0 is about to come out. I think the security teams
> can move on and we'll consider this "changed" rather than "fixed" for
> 4.0, where we do some security tightening.

At least when I checked last (26.06.2013), Nagios 4 was still affected
by the bug. Did you change the way status.cgi checks for authentication
in the meantime?

Kind regards,
 jonas