Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view)
Jonas Meurer
jonas-EzvwY9xUkZCmsm7FhTHJ5g at public.gmane.org
Wed Sep 4 18:11:03 CEST 2013
For the record:
Nagios developers finally accepted the patch into nagios 3.5 and 4.0
repository:
http://sourceforge.net/p/nagios/nagioscore/ci/1ffe547925a8b90b8d35ea96d6ca92b489178982/
http://sourceforge.net/p/nagios/nagioscore/ci/f36ef53a9771d7f89d1f0810228eafc0c0f49036/
Here's the relevant comments by Andreas Ericcson:
http://tracker.nagios.org/view.php?id=456#c795
http://tracker.nagios.org/view.php?id=456#c796
Kind regards,
jonas
Am 2013-09-04 11:03, schrieb Andreas Ericsson:
> On 2013-09-04 10:31, Jonas Meurer wrote:
>> Hey list and fellow Nagios developers,
>>
>> as you might have noticed, there's a discussion ongoing on
>> oss-security[1]
>> regarding bug report #456[2].
>>
>> I'm the one who discovered the described issue, and I still believe
>> that
>> it's a bug with security implications, even though not everyone seems
>> to
>> be convinced.
>>
>> I'll try to give a brief description of the issue:
>>
>> The Nagios status.cgi (at all 3.4* and 4.0* versions I checked) leaks
>> hostnames to unauthorized users as part of servicegroups. All of
>> servicegroup overview, summary and grid list each and every hostname
>> that
>> is part of a servicegroup, regardless whether the HTTP user is listed
>> in
>> contacts/contactgroups for this host.
>>
>> In my opinion this is a security issue - at least on multi-user (e.g.
>> multi-customer) Nagios-setups. I guess that most ISPs which give their
>> customers access to the Nagios CGIs don't want to provide a full list
>> of monitored hosts to their customers as a side-effect.
>>
>> One reason for confusion is the following entry from Nagios3
>> changelog[3]:
>>
>> 3.4.0 - 05/04/2012
>> ENHANCEMENTS
>> [...]
>> - Users can now see hostgroups and servicegroups that contain at least
>> one host or service they are authorized for, instead of having to
>> be authorized for them all (Ethan Galstad)
>>
>>
>> The indisputable part of this change is, that users are allowed to see
>> hostgroups and servicegroups with at least one authorized host or
>> service. Unclear is, whether this means "group and all its group
>> members", or "group and only authorized group members".
>>
>
> It should mean "group and only authorized group members, except also
> hosts for services where one is authorized to see the service".
>
>> Unfortunately, no Nagios developer speaked up yet about this issue.
>> Thus
>> there's still a lot confusion about it.
>>
>
> Well, now I have, so confusion dispelled.
>
>> You can find my patch at the Nagios Issue Tracker.
>
> Ah, right. Care to provide a link? Mostly, I prefer to get patches to
> this mailing list, since I don't spend a lot of time hunting them down
> from the (underused) tracker.
>
>> This patch changes
>> status.cgi behaviour to show only group members (hosts/services) that
>> the user is authorized to see.
>>
>> A comment about this issue by the Nagios Developers whould be highly
>> appreciated. In case that the described (and critizised) behaviour of
>> status.cgi is intended, the distribution security teams can move on.
>>
>
> Well, it *was* by design, but now I'm changing the design. It's a good
> time for it, since 4.0 is about to come out. I think the security teams
> can move on and we'll consider this "changed" rather than "fixed" for
> 4.0, where we do some security tightening.
>
>> If on the other hand you agree with me, that this issue should be
>> fixed, I'll continue to work with the security teams in order to
>> provide patched Nagios packages for their distributions.
>>
>> Thanks for your work on Nagios, it's a very valuable piece of
>> software!
>>
>
> Thanks for enjoying it.
More information about the Developers
mailing list