xymon: CVE-2013-4173: remote file deletion vulnerability

Debian Bug report logs - #717895
xymon: CVE-2013-4173: remote file deletion vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: xymon: remote file deletion vulnerability

Date: Fri, 26 Jul 2013 10:19:52 +0200

Package: xymon
Severity: important
Tags: security upstream

Hi Christoph

According to [1] xymon is vulnerable to ta file deletion
vulnerability, which I have not further investigated. Forwarding this
to the BTS. At first glance the impact is limited (according to
mitigation factors section).

Upstream commit fixing this issue is in r7199[2].

 [1] http://www.securityfocus.com/archive/1/527534/30/0/threaded
 [2] http://sourceforge.net/p/xymon/code/7199/

Regards,
Salvatore

Message #10 received at 717895@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 717895@bugs.debian.org

Subject: Re: Bug#717895: xymon: remote file deletion vulnerability

Date: Fri, 26 Jul 2013 10:32:30 +0200

Hi Salvatore,

Salvatore Bonaccorso wrote:
> According to [1] xymon is vulnerable to ta file deletion
> vulnerability, which I have not further investigated.

Yep, also has been announced upstream and I checked with upstream. All
versions in Debian are said to be vulnerable.

For experimental, the fixed 4.3.12 is already in Git, but not yet
tested and hence not yet uploaded.

>  [1] http://www.securityfocus.com/archive/1/527534/30/0/threaded

I already asked upstream for a CVE id, but they don't have one yet[2].
Can you get one?

[2] http://lists.xymon.com/pipermail/xymon/2013-July/037909.html

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
  `-    |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5

Message #15 received at 717895@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Axel Beckert <abe@debian.org>

Cc: 717895@bugs.debian.org

Subject: Re: Bug#717895: xymon: remote file deletion vulnerability

Date: Fri, 26 Jul 2013 10:52:21 +0200

Hi Axel,

On Fri, Jul 26, 2013 at 10:32:30AM +0200, Axel Beckert wrote:
> Salvatore Bonaccorso wrote:
> > According to [1] xymon is vulnerable to ta file deletion
> > vulnerability, which I have not further investigated.
> 
> Yep, also has been announced upstream and I checked with upstream. All
> versions in Debian are said to be vulnerable.
> 
> For experimental, the fixed 4.3.12 is already in Git, but not yet
> tested and hence not yet uploaded.
> 
> >  [1] http://www.securityfocus.com/archive/1/527534/30/0/threaded

Ok, thanks for checking already all versions.

> I already asked upstream for a CVE id, but they don't have one yet[2].
> Can you get one?
> 
> [2] http://lists.xymon.com/pipermail/xymon/2013-July/037909.html

Yes, just have requested one, see [1]. Will forward to you as soon
assigned. If upstream want's to get themself CVE's you can give [2] to
them? (Debian can also assing CVE's but only if the issue is not yet
public to avoid dublication)

 [1] http://www.openwall.com/lists/oss-security/2013/07/26/3
 [2] https://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html

Regards,
Salvatore

Message #20 received at 717895@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 717895@bugs.debian.org

Subject: Re: Bug#717895: xymon: remote file deletion vulnerability

Date: Fri, 26 Jul 2013 15:42:13 +0200

Hi,

Salvatore Bonaccorso wrote:
> According to [1] xymon is vulnerable to ta file deletion
> vulnerability, which I have not further investigated. Forwarding this
> to the BTS. At first glance the impact is limited (according to
> mitigation factors section).
> 
> Upstream commit fixing this issue is in r7199[2].
> 
>  [1] http://www.securityfocus.com/archive/1/527534/30/0/threaded

An excerpt from that posting:

| The attack requires access to the xymond network port (default: tcp
| port 1984).
| 
| If access to administrative commands is limited by use of the
| "--admin-senders" option for the "xymond" daemon, then the attack is
| restricted to the commands sent from the IP-adresses listed in the
| --admin-senders access list. However, the default configuration
| permits these commands to be sent from any IP.

In understand it the way that calling xymond with passing a set of
controlled IP addresses (like only localhost and the external IP of
localhost) to --admin-senders mitigates the issue to a not-remote
vulnerability.

According to my investigations, all current Debian packages of
xymon ship "--admin-senders=127.0.0.1,$XYMONSERVERIP" in tasks.cfg
(>= 4.3.7-1) or "--admin-senders=127.0.0.1,$BBSERVERIP" in
hobbitlaunch.cfg (<< 4.3.7-1).

I've checked amd64 .debs for Squeeze, Wheezy/Jessie/Sid and
Experimental as well as the source packages of Wheezy/Jessie/Sid and
Experimental.

What puzzles me is that the relevant part, the
"--admin-senders=127.0.0.1,$XYMONSERVERIP" comes from upstream code.
Grepping through an unpacked upstream source tar ball of the latest
said to be vulnerable version:

xymon-4.3.11/xymond/etcfiles/tasks.cfg.DIST:         --admin-senders=127.0.0.1,$XYMONSERVERIP \

I would expect (but haven't checked) that this is the file which
upstream installs by default, too. And according to my minimal path
through upstreams build system, this is also the case.

Anyway, at least Debian's default config is based on that file and
hence IMO not remotely vulnerable with its default configuration.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
  `-    |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5

Message #25 received at 717895@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Axel Beckert <abe@debian.org>, 717895@bugs.debian.org

Subject: Re: Bug#717895: xymon: remote file deletion vulnerability

Date: Fri, 26 Jul 2013 19:49:37 +0200

Hi Axel,

On Fri, Jul 26, 2013 at 03:42:13PM +0200, Axel Beckert wrote:
> Anyway, at least Debian's default config is based on that file and
> hence IMO not remotely vulnerable with its default configuration.

Agreed (also after checking the wheezy package).

Would still be good to patch (or updating to new upstream version when
possible) for the missing basename call, making hobbit also safe
against the remove deletion vulnerability in non-default setups (and
possibly trough a proposed-update for stable and oldstable).

Possibly also for stable and oldstable through a proposed-updates.

Regards,
Salvatore

Message #30 received at 717895@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 717895@bugs.debian.org

Cc: Axel Beckert <abe@debian.org>

Subject: Re: Bug#717895: xymon: remote file deletion vulnerability

Date: Sat, 27 Jul 2013 09:23:39 +0200

Control: retitle -1 xymon: CVE-2013-4173: remote file deletion vulnerability

Hi Axel,

On Fri, Jul 26, 2013 at 10:52:21AM +0200, Salvatore Bonaccorso wrote:
> On Fri, Jul 26, 2013 at 10:32:30AM +0200, Axel Beckert wrote:
> > I already asked upstream for a CVE id, but they don't have one yet[2].
> > Can you get one?
> > 
> > [2] http://lists.xymon.com/pipermail/xymon/2013-July/037909.html
> 
> Yes, just have requested one, see [1]. Will forward to you as soon
> assigned. If upstream want's to get themself CVE's you can give [2] to
> them? (Debian can also assing CVE's but only if the issue is not yet
> public to avoid dublication)

CVE-2013-4173[1] was now assigned to this issue.

 [1] http://article.gmane.org/gmane.comp.security.oss.general/10728

Regards,
Salvatore

Message #39 received at 717895@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 717895@bugs.debian.org

Subject: Re: Bug#717895: xymon: remote file deletion vulnerability

Date: Sat, 27 Jul 2013 10:02:47 +0200

Hi Salvatore,

Salvatore Bonaccorso wrote:
> CVE-2013-4173[1] was now assigned to this issue.
> 
>  [1] http://article.gmane.org/gmane.comp.security.oss.general/10728

Thanks. Updated the changelog and informed upstream via the mailing
list. At least there the CVE id wasn't posted yet.

Also tagged this bug report as fixed-upstream and pending (as there's
a fixed upstream release in git.)

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
  `-    |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5

Message #44 received at 717895-close@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>

To: 717895-close@bugs.debian.org

Subject: Bug#717895: fixed in xymon 4.3.17-1

Date: Fri, 28 Feb 2014 23:34:14 +0000

Source: xymon
Source-Version: 4.3.17-1

We believe that the bug you reported is fixed in the latest version of
xymon, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 717895@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Axel Beckert <abe@debian.org> (supplier of updated xymon package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 28 Feb 2014 23:33:43 +0100
Source: xymon
Binary: xymon xymon-client
Architecture: source amd64
Version: 4.3.17-1
Distribution: experimental
Urgency: low
Maintainer: Christoph Berg <myon@debian.org>
Changed-By: Axel Beckert <abe@debian.org>
Description: 
 xymon      - monitoring system for systems, networks and applications
 xymon-client - client for the Xymon network monitor
Closes: 717895 734867
Changes: 
 xymon (4.3.17-1) experimental; urgency=low
 .
   [ Axel Beckert ]
   * New upstream release
     - Fixes remote file deletion vulnerability (Closes: #717895,
       CVE-2013-4173)
     - Refreshed and updated patches where needed
   * Apache 2.2 → 2.4 Migration:
     + Rename /etc/apache2/conf.d/xymon to …/conf-available/xymon.conf
       (Fixes lintian warnings non-standard-apache2-configuration-name and
       apache2-reverse-dependency-uses-obsolete-directory)
   * Add -W option to "netstat -ant" in client/xymonclient-linux.sh to
     avoid IPv6 address truncating in ports check. (Closes: #734867)
   * Bump Standards-Version to 3.9.5 (no changes)
   * Add a debian/upstream/metadata file according to DEP-12.
 .
   [ Christoph Berg ]
   * Rename /etc/xymon/xymongraph.d to graphs.d to match graphs.cfg.
   * Move the include patching for clientlaunch.cfg/d from debian/rules to the
     hobbitvars patch.
Checksums-Sha1: 
 a79b834106e6e3ec874089eda247aff62fa8ebf7 1384 xymon_4.3.17-1.dsc
 1a8ba9e42f27fe3ce4625be745a41bd16ed2d1f9 2772765 xymon_4.3.17.orig.tar.gz
 bc91d824531dbccd08bae91374ceea455b58ab5b 89852 xymon_4.3.17-1.debian.tar.xz
 c1903993ecaf031bf8f194018e78025b7218e18a 2251720 xymon_4.3.17-1_amd64.deb
 204c054134c674c6f9c693d1200bc3ee137440d1 243788 xymon-client_4.3.17-1_amd64.deb
Checksums-Sha256: 
 74355f4685ecf9f39417be43c01b017be7f5e0eb2b153fe0337568b6443fec60 1384 xymon_4.3.17-1.dsc
 fc912efcf7adb7c5d285bf264fa44ae94fefcbeec32b58d7f9a6184fd9ac19d1 2772765 xymon_4.3.17.orig.tar.gz
 a9ea081e8979b8fa6c310b05f1a521a16f91ee8c3a0f75c497e38c8a13e93a6f 89852 xymon_4.3.17-1.debian.tar.xz
 666a25d214a75533897bfb80bd58c0f06d856d5e705a6f72090bfff62778c807 2251720 xymon_4.3.17-1_amd64.deb
 817afcf93a3c68a38ee6f6928fd93742a4fb71c9f9e8e4642181da75bbc9cb98 243788 xymon-client_4.3.17-1_amd64.deb
Files: 
 e442a395dab0cbffe27e89dd0a53b950 1384 net extra xymon_4.3.17-1.dsc
 d8d119a777e7b7204d1292fb27314312 2772765 net extra xymon_4.3.17.orig.tar.gz
 f73a54df8cacc1c84611ac6dd544342c 89852 net extra xymon_4.3.17-1.debian.tar.xz
 21dcb33619737c4a6409fa6993a7f6ed 2251720 net extra xymon_4.3.17-1_amd64.deb
 b81c12732616469bffaaa2a70eeae9dc 243788 net extra xymon-client_4.3.17-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlMRF6QACgkQwJ4diZWTDt6I0wCeMoRDsa6gJ28njBF1xfkcfoj2
1zQAniIKBJpPcYB+EJ75pBDlUV1lIUoo
=IYcB
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.