EGI SVG Advisories

========================================================================
                             EGEE Operational Security Coordination Team

Topic:   Alert on the Nagios statuswml.cgi remote command execution
Date:    July 9th 2009
URL:     http://cern.ch/osct/alerts/nagios-09-07-2009.txt


Background
----------

Nagios is a powerful monitoring system that enables organizations to
identify and resolve IT infrastructure problems before they affect
critical business processes [1].

At the context of the EGEE, Nagios is used as the supplemental part of
the EGEE SA1 OAT monitoring suite [2] (with the own version of Nagios
that is supplied by the OAT repositories [3]), but it is not unusual for
an EGEE site to run own Nagios instance for the fabric monitoring.


Vulnerability description
-------------------------

It was discovered (see [4] and [5]) that WAP/WML interface
(statuswml.cgi) allows authorized users to run arbitrary commands in the
context of the Nagios Web server process; this vulnerability exists due
to the lack of input sanitizing before running external commands like
'ping' and 'traceroute'.

The vulnerability was fixed in the vendor version 3.1.1 [6].


Vulnerability impact
--------------------

Any user who is authorized to access statuswml.cgi can run arbitrary
commands as the Web server user.

In the context of EGEE SA1 OAT monitoring suite, authorization is given
by means of checking if user's X.509 certificate is issued by one of the
recognized certification authorities and testing if user belongs to one
of the virtual organizations that are authorized to view the Nagios data
for the particular Nagios OAT installation (VOS parameter in YAIM
configuration).  This means that virtually any entity possessing valid
certificate from one of the IGTF-accredited certification authorities
and having membership in one of the supported virtual organizations can
exploit this vulnerability.

We can not say how authorization works in other Nagios installations,
because it is up to the site, but in default configuration, access to
the WAP/WML interface requires the same level of authorization as the
read-only access to the main Nagios status pages.


OSCT recommendations
--------------------

OSCT recommends to upgrade Nagios to the version >= 3.1.1 if it is
possible.

The latest Nagios releases (3.0.6-1.el4.rf.4.oat and
3.0.6-1.el5.rf.4.oat) supplied by the EGEE SA1 OAT repositories at
  http://www.sysadmin.hep.ac.uk/rpms/egee-SA1/sl4/
  http://www.sysadmin.hep.ac.uk/rpms/egee-SA1/sl5/
also have a workaround for this issue -- they just contain no WAP/WML
interface CGI.  Users of these repositories should receive the fixes
automatically with the update of OAT metapackage egee-NAGIOS to
the version 1.0.0-26.

The said Nagios release from the EGEE SA1 OAT repositories can also be
used for non-EGEE monitoring, since popular third-party repositories
(for example, DAG RPMs) still have the vulnerable version.  Repository
configurations for YUM can be obtained from
  http://www.sysadmin.hep.ac.uk/rpms/egee-SA1/sl4/egee-SA1.repo
  http://www.sysadmin.hep.ac.uk/rpms/egee-SA1/sl5/egee-SA1.repo
for RHEL (and compatibles), versions 4 and 5 respectively.

In order to prevent the users to access the vulnerable statuswml.cgi
script OSCT recommends to deny any access to the said CGI script until
Nagios instance will be upgraded to the non-vulnerable version.

For users running Nagios Web interface with Apache httpd server, the
simplest configuration that fully denies the access is the following
one:

<Files statuswml.cgi>
  Order allow,deny
  Deny from all
</Files>

This block should be placed to the 'Directory' contained that
corresponds to the Nagios cgi-bin directory.

Please, consult the corresponding manuals to understand how to block
access to the mentioned CGI script for the Web server software other
than Apache httpd.


References
----------

[1] http://www.nagios.org/
[2] https://twiki.cern.ch/twiki/bin/view/EGEE/GridMonitoringNcgYaim
[3] http://www.sysadmin.hep.ac.uk/rpms/egee-SA1/
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2288
[5] http://www.securityfocus.com/bid/35464/
[6] http://www.nagios.org/development/history/core-3x/
========================================================================