The Nagios process in (1) Nagios before 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote authenticated users to bypass authorization checks, and trigger execution of arbitrary programs by this process, via an (a) custom form or a (b) browser addon.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Nagios | Nagios | * | 3.0.4 (including) |
| Nagios | Nagios | 1.0 (including) | 1.0 (including) |
| Nagios | Nagios | 1.0_b1 (including) | 1.0_b1 (including) |
| Nagios | Nagios | 1.0_b2 (including) | 1.0_b2 (including) |
| Nagios | Nagios | 1.0_b3 (including) | 1.0_b3 (including) |
| Nagios | Nagios | 1.0b1 (including) | 1.0b1 (including) |
| Nagios | Nagios | 1.0b2 (including) | 1.0b2 (including) |
| Nagios | Nagios | 1.0b3 (including) | 1.0b3 (including) |
| Nagios | Nagios | 1.0b4 (including) | 1.0b4 (including) |
| Nagios | Nagios | 1.0b5 (including) | 1.0b5 (including) |
| Nagios | Nagios | 1.0b6 (including) | 1.0b6 (including) |
| Nagios | Nagios | 1.1 (including) | 1.1 (including) |
| Nagios | Nagios | 1.2 (including) | 1.2 (including) |
| Nagios | Nagios | 1.3 (including) | 1.3 (including) |
| Nagios | Nagios | 1.4 (including) | 1.4 (including) |
| Nagios | Nagios | 1.4.1 (including) | 1.4.1 (including) |
| Nagios | Nagios | 2.0 (including) | 2.0 (including) |
| Nagios | Nagios | 2.0b1 (including) | 2.0b1 (including) |
| Nagios | Nagios | 2.0b2 (including) | 2.0b2 (including) |
| Nagios | Nagios | 2.0b3 (including) | 2.0b3 (including) |
| Nagios | Nagios | 2.0b4 (including) | 2.0b4 (including) |
| Nagios | Nagios | 2.0b5 (including) | 2.0b5 (including) |
| Nagios | Nagios | 2.0b6 (including) | 2.0b6 (including) |
| Nagios | Nagios | 2.0rc1 (including) | 2.0rc1 (including) |
| Nagios | Nagios | 2.0rc2 (including) | 2.0rc2 (including) |
| Nagios | Nagios | 2.1 (including) | 2.1 (including) |
| Nagios | Nagios | 2.2 (including) | 2.2 (including) |
| Nagios | Nagios | 2.3 (including) | 2.3 (including) |
| Nagios | Nagios | 2.3.1 (including) | 2.3.1 (including) |
| Nagios | Nagios | 2.4 (including) | 2.4 (including) |
| Nagios | Nagios | 2.5 (including) | 2.5 (including) |
| Nagios | Nagios | 2.7 (including) | 2.7 (including) |
| Nagios | Nagios | 2.8 (including) | 2.8 (including) |
| Nagios | Nagios | 2.9 (including) | 2.9 (including) |
| Nagios | Nagios | 2.10 (including) | 2.10 (including) |
| Nagios | Nagios | 2.11 (including) | 2.11 (including) |
| Nagios | Nagios | 3.0 (including) | 3.0 (including) |
| Nagios | Nagios | 3.0-alpha1 (including) | 3.0-alpha1 (including) |
| Nagios | Nagios | 3.0-alpha2 (including) | 3.0-alpha2 (including) |
| Nagios | Nagios | 3.0-alpha3 (including) | 3.0-alpha3 (including) |
| Nagios | Nagios | 3.0-alpha4 (including) | 3.0-alpha4 (including) |
| Nagios | Nagios | 3.0-beta1 (including) | 3.0-beta1 (including) |
| Nagios | Nagios | 3.0-beta2 (including) | 3.0-beta2 (including) |
| Nagios | Nagios | 3.0-beta3 (including) | 3.0-beta3 (including) |
| Nagios | Nagios | 3.0-beta4 (including) | 3.0-beta4 (including) |
| Nagios | Nagios | 3.0-beta5 (including) | 3.0-beta5 (including) |
| Nagios | Nagios | 3.0-beta6 (including) | 3.0-beta6 (including) |
| Nagios | Nagios | 3.0-beta7 (including) | 3.0-beta7 (including) |
| Nagios | Nagios | 3.0-rc1 (including) | 3.0-rc1 (including) |
| Nagios | Nagios | 3.0-rc2 (including) | 3.0-rc2 (including) |
| Nagios | Nagios | 3.0-rc3 (including) | 3.0-rc3 (including) |
| Nagios | Nagios | 3.0.1 (including) | 3.0.1 (including) |
| Nagios | Nagios | 3.0.2 (including) | 3.0.2 (including) |
| Nagios | Nagios | 3.0.3 (including) | 3.0.3 (including) |
| Monitor | Op5 | * | 4.0.0 (including) |
| Monitor | Op5 | 2.4 (including) | 2.4 (including) |
| Monitor | Op5 | 2.6 (including) | 2.6 (including) |
| Monitor | Op5 | 2.8 (including) | 2.8 (including) |
| Monitor | Op5 | 3.0 (including) | 3.0 (including) |
| Monitor | Op5 | 3.0.0 (including) | 3.0.0 (including) |
| Monitor | Op5 | 3.2 (including) | 3.2 (including) |
| Monitor | Op5 | 3.2.4 (including) | 3.2.4 (including) |
| Monitor | Op5 | 3.3.1 (including) | 3.3.1 (including) |
| Monitor | Op5 | 3.3.2 (including) | 3.3.2 (including) |
| Monitor | Op5 | 3.3.3 (including) | 3.3.3 (including) |
| Nagios | Ubuntu | dapper | * |
| Nagios | Ubuntu | gutsy | * |
| Nagios2 | Ubuntu | gutsy | * |
| Nagios2 | Ubuntu | hardy | * |
| Nagios3 | Ubuntu | intrepid | * |
| Nagios3 | Ubuntu | upstream | * |
References
- http://marc.info/?l=bugtraq\u0026m=124156641928637\u0026w=2
- http://secunia.com/advisories/33320
- http://secunia.com/advisories/35002
- http://security.gentoo.org/glsa/glsa-200907-15.xml
- http://sourceforge.net/mailarchive/forum.php?thread_name=4914396D.5010009%40op5.se\u0026forum_name=nagios-devel
- http://www.nagios.org/development/history/nagios-3x.php
- http://www.op5.com/support/news/389-important-security-fix-available-for-op5-monitor
- http://www.openwall.com/lists/oss-security/2008/11/06/2
- http://www.securityfocus.com/bid/32156
- http://www.securitytracker.com/id?1022165
- http://www.ubuntu.com/usn/USN-698-1
- http://www.vupen.com/english/advisories/2008/3029
- http://www.vupen.com/english/advisories/2008/3364
- http://www.vupen.com/english/advisories/2009/1256
- https://www.ubuntu.com/usn/USN-698-3/
- http://marc.info/?l=bugtraq\u0026m=124156641928637\u0026w=2
- http://secunia.com/advisories/33320
- http://secunia.com/advisories/35002
- http://security.gentoo.org/glsa/glsa-200907-15.xml
- http://sourceforge.net/mailarchive/forum.php?thread_name=4914396D.5010009%40op5.se\u0026forum_name=nagios-devel
- http://www.nagios.org/development/history/nagios-3x.php
- http://www.op5.com/support/news/389-important-security-fix-available-for-op5-monitor
- http://www.openwall.com/lists/oss-security/2008/11/06/2
- http://www.securityfocus.com/bid/32156
- http://www.securitytracker.com/id?1022165
- http://www.ubuntu.com/usn/USN-698-1
- http://www.vupen.com/english/advisories/2008/3029
- http://www.vupen.com/english/advisories/2008/3364
- http://www.vupen.com/english/advisories/2009/1256
- https://www.ubuntu.com/usn/USN-698-3/