On 07/27/13 03:53, Axel Beckert wrote:
Hi Henrik,
On Fri, Jul 26, 2013 at 10:34:21AM +0200, Axel Beckert wrote:
On Thu, Jul 25, 2013 at 06:09:40PM +0200, Henrik Størner wrote:
Does a CVE id exist for that vulnerability?
No. I suppose I could figure out how to request one - unless someone
else already knows how ?
I requested one via the Debian Security Team.
CVE-2013-4173[1] has been assigned to this issue. Thanks to Salvatore
Bonaccorso for his help.
[1] http://article.gmane.org/gmane.comp.security.oss.general/10728
In case you want to request one yourself next time, see
https://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html
for instructions.
Kind regards, Axel Beckert
Hi Axel, Henrik
I noticed in the CVE link provided the following:
--[snip]--
If access to administrative commands is limited by use of the
"--admin-senders" option for the "xymond" daemon, then the attack
is restricted to the commands sent from the IP-adresses listed in
the --admin-senders access list. However, the default
configuration permits these commands to be sent from any IP.
--[snip]--
However, I checked several Xymon and Hobbit installations that we manage and
each of them has the --admin-senders=127.0.0.1,$BBSERVERIP (for hobbit) and
--admin-senders=127.0.0.1,$XYMONSERVERIP (for xymon) set.
I know for a fact that these settings were not manually added to the xymond
daemon CMDs on our servers, so this appears to be the default, which means
that by default Xymon (and Hobbit) systems are "not vulnerable."
Am I missing something?
Thanks!
--
Bill Arlofski
Reverse Polarity, LLC
http://www.revpol.com/
-- Not responsible for anything below this line --