Hello all,
Xymon 4.3.25 has been released and is now available for download
at https://sourceforge.net/projects/xymon/
Version 4.3.25 includes fixes for several security issues in the
server component of the Xymon monitoring system, which are further
detailed below. In addition, there are several other feature
additions, and several bug fixes and reliability improvements.
Full release notes and a Changelog are available at
https://sourceforge.net/projects/xymon/files/Xymon/4.3.25/
These issues affect all versions of Xymon 4.3.x prior to 4.3.25, as
well as the obsolete 4.1.x and 4.2.x versions. All Xymon users are
strongly encouraged to upgrade their server component.
We would like to greatly thank Markus Krell for his responsible
reporting of these issues and for his assistance in testing their
resolution.
And as always, thank you to everyone who has contributed code or
submitted feature suggestions or bug reports to the Xymon project.
Regards,
Japheth "J.C." Cleaver Xymon 4.x Maintainer
* CVE-2016-2054: Buffer overflow in xymond handling of "config"
command: The xymond daemon performs an unchecked copying of a
user-supplied filename to a fixed-size buffer when handling a
"config" command. This may be used to trigger a buffer overflow in
xymond, possibly resulting in remote code execution and/or denial
of service of the Xymon monitoring system. This code will run with
the privileges of the xymon userid.
This bug may be triggered by anyone with network access to the
xymond service on port 1984, unless access has been restricted with
the "--status-senders" option (a non-default configuration).
This bug has been patched in Xymon 4.3.25.
* CVE-2016-2055: Access to possibly confidential files in the
Xymon configuration directory: The xymond daemon will allow anyone
with network access to the xymond network port (1984) to download
configuration files in the Xymon "etc" directory. In a default
installation, the Apache htaccess file "xymonpasswd" controlling
access to the administrator webpages is installed in this directory
and is therefore available for download. The passwords in the file
are hashed, but may then be brute-forced off-line.
This bug may be triggered by anyone with network access to the
xymond service on port 1984, unless access has been restricted with
the "--status-senders" option (a non-default configuration).
Administrators of existing installations should ensure that the
xymonpasswd file is not readable by the userid running the xymond
daemon. Permissions should be: Owner=webserver UID, group=webserver
GID, mode rw-rw--- (600). This will be the default configuration
starting with Xymon 4.3.25. In addition, the "config" command will
only allow access to regular files. By default, only files ending
in ".cfg" may be directly retrieved, although this can be
overridden by the administrator, and config files may include other
files and directories using existing directives.
Alternatively, the file may be moved to a location outside the
Xymon configuration directory. The Xymon cgioptions.cfg file must
then be edited so CGI_USERADM_OPTS and CGI_CHPASSWD_OPTS include
"--passwdfile=FILENAME".
* CVE-2016-2056: Shell command injection in the "useradm" and
"chpasswd" web applications: The useradm and chpasswd web
applications may be used to administer passwords for user
authentication in Xymon, acting as a web frontend to the Apache
"htpasswd" application. The htpasswd command is invoked via a shell
command, and it is therefore possible to inject arbitrary commands
and have them executed with the privileges of the webserver (CGI)
user.
This bug can only be triggered by web users with access to the
Xymon webpages, who are already authenticated as Xymon users.
However, when combined with CVE-2016-xxxx which allows for off-line
cracking of password hashes, this bug may be exploitable by
others.
This bug has been patched in Xymon 4.3.25.
* CVE-2016-2057: Incorrect permissions on IPC queues used by the
xymond daemon can bypass IP access filtering: An IPC message queue
used by the xymon daemon is created with world-write permissions,
allowing a local user on the Xymon master server to inject all
types of messages into Xymon, bypassing any IP-based access
controls.
Exploitation of this bug requires local access to the Xymon master
server.
This bug has been patched in Xymon 4.3.25.
* CVE-2016-2058: Javascript injection in "detailed status webpage"
of monitoring items: A status-message sent from a Xymon client may
contain any data, including HTML, which will be included on the
"detailed status" page available via the Xymon status webinterface.
A malicious user may send a status message containing custom
Javascript code, which will then be rendered in the browser of the
user viewing the status page.
Exploitation of this bug requires that you can control the contents
of a status message sent to Xymon, which is possible if you control
one of the servers monitored by Xymon, or the Xymon master server.
Also, the bug requires a user to actually view the "detailed
status" webpage.
This bug has been patched in Xymon 4.3.25 by including a
"Content-Security-Policy" HTTP header in the response sent to the
browser. This means that older browsers may still be vulnerable to
this issue.
* CVE-2016-2058: XSS vulnerability via malformed acknowledgment
messages: (Note that this uses the same CVE id as the Javascript
injection issue) The message sent by a user to indicate
acknowledgment of an alert is not HTML-escaped before being
displayed on the status webpage, which may be used to trigger a
cross-site scripting vulnerability.
Exploitation of this bug requires that the attacker is able to
acknowledge an alert status. This requires user-authenticated
access to the Xymon webpages, or that the user receives a message
(usually via e-mail) containing the authentication token for the
acknowledgment.
This bug has been patched in Xymon 4.3.25.