Hi,
Salvatore Bonaccorso wrote:
> According to [1] xymon is vulnerable to ta file deletion
> vulnerability, which I have not further investigated. Forwarding this
> to the BTS. At first glance the impact is limited (according to
> mitigation factors section).
>
> Upstream commit fixing this issue is in r7199[2].
>
> [1] http://www.securityfocus.com/archive/1/527534/30/0/threaded
An excerpt from that posting:
| The attack requires access to the xymond network port (default: tcp
| port 1984).
|
| If access to administrative commands is limited by use of the
| "--admin-senders" option for the "xymond" daemon, then the attack is
| restricted to the commands sent from the IP-adresses listed in the
| --admin-senders access list. However, the default configuration
| permits these commands to be sent from any IP.
In understand it the way that calling xymond with passing a set of
controlled IP addresses (like only localhost and the external IP of
localhost) to --admin-senders mitigates the issue to a not-remote
vulnerability.
According to my investigations, all current Debian packages of
xymon ship "--admin-senders=127.0.0.1,$XYMONSERVERIP" in tasks.cfg
(>= 4.3.7-1) or "--admin-senders=127.0.0.1,$BBSERVERIP" in
hobbitlaunch.cfg (<< 4.3.7-1).
I've checked amd64 .debs for Squeeze, Wheezy/Jessie/Sid and
Experimental as well as the source packages of Wheezy/Jessie/Sid and
Experimental.
What puzzles me is that the relevant part, the
"--admin-senders=127.0.0.1,$XYMONSERVERIP" comes from upstream code.
Grepping through an unpacked upstream source tar ball of the latest
said to be vulnerable version:
xymon-4.3.11/xymond/etcfiles/tasks.cfg.DIST:
--admin-senders=127.0.0.1,$XYMONSERVERIP \
I would expect (but haven't checked) that this is the file which
upstream installs by default, too. And according to my minimal path
through upstreams build system, this is also the case.
Anyway, at least Debian's default config is based on that file and
hence IMO not remotely vulnerable with its default configuration.
Regards, Axel
--
,''`. | Axel Beckert <[email protected]>, http://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
`- | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]