Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130726082719.GA9759@elende>
Date: Fri, 26 Jul 2013 10:27:20 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Cc: henrik@...n.dk
Subject: CVE Request: Xymon Systems and Network Monitor - remote file
 deletion vulnerability

Hi Kurt

Henrik Størner (CC'ed) announced on xymon mailinglist and bugtraq an
update for Xymon, a systems and network monitor. xymon is vulnerable
to a remote file deletion vulnerability (see attached full announce
text).

Upstream commit fixing the issue is at [1].

 [1] http://sourceforge.net/p/xymon/code/7199/

Can a CVE be assigned to this issue?

Regards,
Salvatore

----- Forwarded message from Henrik Størner <henrik@...n.dk> -----

Hi,

a security vulnerability has been found in version 4.x of the Xymon
Systems & Network Monitor tool
(https://sourceforge.net/projects/xymon/).


Impact
------
The error permits a remote attacker to delete files on the server
running the Xymon trend-data daemon "xymond_rrd". File deletion is
done with the privileges of the user that Xymon is running with, so it
is limited to files available to the userid running the Xymon service.
This includes all historical data stored by the Xymon monitoring
system.


Vulnerable versions
-------------------
All Xymon 4.x versions prior to 4.3.12 with the xymond_rrd module
enabled (this is the default configuration).

Note that Xymon was called "Hobbit" from version 4.0 to 4.2; all of
the "Hobbit" versions are also vulnerable.


Mitigating factors
------------------
The attack requires access to the xymond network port (default: tcp
port 1984).

If access to administrative commands is limited by use of the
"--admin-senders" option for the "xymond" daemon, then the attack is
restricted to the commands sent from the IP-adresses listed in the
--admin-senders access list. However, the default configuration
permits these commands to be sent from any IP.

Systems where xymond_rrd is disabled are not vulnerable, but this is
not the default configuration.


Details
-------
Xymon stores historical data, trend-data etc. for each monitored host
in a set of directories below the Xymon "server/data/" directory. Each
monitored host has a set of directories named by the hostname.

When a host is no longer monitored, the data stored for the host can
be removed by sending a "drop HOSTNAME" command to the Xymon master
daemon. This is forwarded to xymond_rrd and other modules which then
handle deleting various parts of the stored data, essentially by
performing the equivalent of "rm -rf
<xymondatadirectory>/rrd/HOSTNAME". In the vulnerable versions of
Xymon, the hostname sent to xymond was used without any checking, so a
hostname could include one or more "../" sequences to delete files
outside the intended directory.

There are other modules that delete files in response to a "drophost"
command, but for various reasons these are not vulnerable to the
attack.


Credit and timeline
-------------------
The bug was discovered by "cleaver" during investigation of a bug
originally reported to the Xymon mailing list on July 17 -
http://lists.xymon.com/archive/2013-July/037838.html - and I was
notified via private e-mail on July 21st when it was realized to be a
security related issue.

A bugfix - r7199 - was committed to the Sourceforge SVN code
repository on July 23rd, and version 4.3.12 was released on July 24th.


Henrik Størner
Xymon developer

----- End forwarded message -----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.