6.8 - HPSBMA02419 SSRT090060

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	Insight Control Suite For Linux (ICE-LX) Multiple Remote Vulnerabilities In Nagios

Informations
Name	HPSBMA02419 SSRT090060	First vendor Publication	2009-05-05
Vendor	HP	Last vendor Modification	2009-05-05
Severity (Vendor)	N/A	Revision	1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score	6.8	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Potential security vulnerabilities have been identified with Insight Control suite for Linux (ICE-LX) running Nagios. The vulnerabilities could be remotely exploited via cross-site request forgery (CSRF) and remote authentication bypass.

Original Source

Url : http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01712457

CAPEC : Common Attack Pattern Enumeration & Classification

Id	Name
CAPEC-1	Accessing Functionality Not Properly Constrained by ACLs
CAPEC-13	Subverting Environment Variable Values
CAPEC-17	Accessing, Modifying or Executing Executable Files
CAPEC-39	Manipulating Opaque Client-based Data Tokens
CAPEC-45	Buffer Overflow via Symbolic Links
CAPEC-51	Poison Web Service Registry
CAPEC-59	Session Credential Falsification through Prediction
CAPEC-60	Reusing Session IDs (aka Session Replay)
CAPEC-76	Manipulating Input to File System Calls
CAPEC-77	Manipulating User-Controlled Variables
CAPEC-87	Forceful Browsing
CAPEC-104	Cross Zone Scripting

CWE : Common Weakness Enumeration

%	Id	Name
33 %	CWE-352	Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)
33 %	CWE-264	Permissions, Privileges, and Access Controls
33 %	CWE-94	Failure to Control Generation of Code ('Code Injection')

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:20295

Oval ID:	oval:org.mitre.oval:def:20295
Title:	USN-698-2 -- nagios3 vulnerabilities
Description:	It was discovered that Nagios was vulnerable to a Cross-site request forgery (CSRF) vulnerability.
Family:	unix	Class:	patch
Reference(s):	USN-698-2 CVE-2008-5028 CVE-2008-5027	Version:	5
Platform(s):	Ubuntu 8.10	Product(s):	nagios3
Definition Synopsis:
Ubuntu 8.10 is installed AND nagios3 DPKG is earlier than 0:3.0.2-1ubuntu1.1

Definition Id: oval:org.mitre.oval:def:20718

Oval ID:	oval:org.mitre.oval:def:20718
Title:	USN-698-3 -- nagios2 vulnerabilities
Description:	It was discovered that Nagios was vulnerable to a Cross-site request forgery (CSRF) vulnerability.
Family:	unix	Class:	patch
Reference(s):	USN-698-3 CVE-2008-5028 CVE-2008-5027	Version:	5
Platform(s):	Ubuntu 8.04	Product(s):	nagios2
Definition Synopsis:
Ubuntu 8.04 is installed AND nagios2 DPKG is earlier than 0:2.11-1ubuntu1.4

Definition Id: oval:org.mitre.oval:def:21043

Oval ID:	oval:org.mitre.oval:def:21043
Title:	USN-698-1 -- nagios vulnerability
Description:	It was discovered that Nagios did not properly parse commands submitted using the web interface.
Family:	unix	Class:	patch
Reference(s):	USN-698-1 CVE-2008-5027	Version:	5
Platform(s):	Ubuntu 6.06	Product(s):	nagios
Definition Synopsis:
Ubuntu 6.06 is installed AND nagios-common DPKG is earlier than 2:1.3-cvs.20050402-8ubuntu8

CPE : Common Platform Enumeration

Type	Description	Count
Application	Nagios cpe:2.3:a:nagios:nagios:3.0.5:::::::* cpe:2.3:a:nagios:nagios:3.0.4:::::::* cpe:2.3:a:nagios:nagios:3.0.3:::::::* cpe:2.3:a:nagios:nagios:3.0.2:::::::* cpe:2.3:a:nagios:nagios:3.0.1:::::::* cpe:2.3:a:nagios:nagios:3.0:beta4:::::: cpe:2.3:a:nagios:nagios:3.0:beta5:::::: cpe:2.3:a:nagios:nagios:3.0:rc1:::::: cpe:2.3:a:nagios:nagios:3.0:beta7:::::: cpe:2.3:a:nagios:nagios:3.0:rc3:::::: cpe:2.3:a:nagios:nagios:3.0:alpha2:::::: cpe:2.3:a:nagios:nagios:3.0:beta2:::::: cpe:2.3:a:nagios:nagios:3.0:beta1:::::: cpe:2.3:a:nagios:nagios:3.0:alpha5:::::: cpe:2.3:a:nagios:nagios:3.0:::::::* cpe:2.3:a:nagios:nagios:3.0:alpha3:::::: cpe:2.3:a:nagios:nagios:3.0:alpha4:::::: cpe:2.3:a:nagios:nagios:3.0:alpha1:::::: cpe:2.3:a:nagios:nagios:3.0:beta3:::::: cpe:2.3:a:nagios:nagios:3.0:beta6:::::: cpe:2.3:a:nagios:nagios:3.0:rc2:::::: cpe:2.3:a:nagios:nagios:2.9:::::::* cpe:2.3:a:nagios:nagios:2.8:::::::* cpe:2.3:a:nagios:nagios:2.7:::::::* cpe:2.3:a:nagios:nagios:2.5:::::::* cpe:2.3:a:nagios:nagios:2.4:::::::* cpe:2.3:a:nagios:nagios:2.3.1:::::::* cpe:2.3:a:nagios:nagios:2.3:::::::* cpe:2.3:a:nagios:nagios:2.2:::::::* cpe:2.3:a:nagios:nagios:2.11:::::::* cpe:2.3:a:nagios:nagios:2.10:::::::* cpe:2.3:a:nagios:nagios:2.1.3:::::::* cpe:2.3:a:nagios:nagios:2.1:::::::* cpe:2.3:a:nagios:nagios:2.0rc2:::::::* cpe:2.3:a:nagios:nagios:2.0rc1:::::::* cpe:2.3:a:nagios:nagios:2.0b6:::::::* cpe:2.3:a:nagios:nagios:2.0b5:::::::* cpe:2.3:a:nagios:nagios:2.0b4:::::::* cpe:2.3:a:nagios:nagios:2.0b3:::::::* cpe:2.3:a:nagios:nagios:2.0b2:::::::* cpe:2.3:a:nagios:nagios:2.0b1:::::::* cpe:2.3:a:nagios:nagios:2.0.2:::::::* cpe:2.3:a:nagios:nagios:2.0.1:::::::* cpe:2.3:a:nagios:nagios:2.0:::::::* cpe:2.3:a:nagios:nagios:1.4.1:::::::* cpe:2.3:a:nagios:nagios:1.4:::::::* cpe:2.3:a:nagios:nagios:1.3:::::::* cpe:2.3:a:nagios:nagios:1.2:::::::* cpe:2.3:a:nagios:nagios:1.1:::::::* cpe:2.3:a:nagios:nagios:1.0b6:::::::* cpe:2.3:a:nagios:nagios:1.0b5:::::::* cpe:2.3:a:nagios:nagios:1.0b4:::::::* cpe:2.3:a:nagios:nagios:1.0b3:::::::* cpe:2.3:a:nagios:nagios:1.0b2:::::::* cpe:2.3:a:nagios:nagios:1.0b1:::::::* cpe:2.3:a:nagios:nagios:1.0_b3:::::::* cpe:2.3:a:nagios:nagios:1.0_b2:::::::* cpe:2.3:a:nagios:nagios:1.0_b1:::::::* cpe:2.3:a:nagios:nagios:1.0:::::::* cpe:2.3:a:nagios:nagios:::::::: cpe:2.3:a:nagios:nagios:-:::::::*	61
Application	op5 Monitor cpe:2.3:a:op5:monitor:3.3.3:::::::* cpe:2.3:a:op5:monitor:3.3.2:::::::* cpe:2.3:a:op5:monitor:3.3.1:::::::* cpe:2.3:a:op5:monitor:3.2.4:::::::* cpe:2.3:a:op5:monitor:3.2:::::::* cpe:2.3:a:op5:monitor:3.0.0:::::::* cpe:2.3:a:op5:monitor:3.0:::::::* cpe:2.3:a:op5:monitor:2.8:::::::* cpe:2.3:a:op5:monitor:2.6:::::::* cpe:2.3:a:op5:monitor:2.4:::::::*	10

OpenVAS Exploits

Date	Description
2009-07-29	Name : Gentoo Security Advisory GLSA 200907-15 (nagios-core) File : nvt/glsa_200907_15.nasl
2009-06-05	Name : Ubuntu USN-698-1 (nagios) File : nvt/ubuntu_698_1.nasl
2009-06-05	Name : Ubuntu USN-698-3 (nagios2) File : nvt/ubuntu_698_3.nasl
2009-05-06	Name : Nagios Web Interface Privilege Escalation Vulnerability File : nvt/nagios_cve_2008_5027.nasl
2009-05-06	Name : Nagios External Commands and Adaptive Commands Unspecified Vulnerability File : nvt/nagios_cve_2008_6373.nasl
2009-03-23	Name : Ubuntu Update for nagios vulnerability USN-698-1 File : nvt/gb_ubuntu_USN_698_1.nasl
2009-03-23	Name : Ubuntu Update for nagios2 vulnerabilities USN-698-3 File : nvt/gb_ubuntu_USN_698_3.nasl
2009-02-16	Name : Fedora Update for nagios FEDORA-2008-10323 File : nvt/gb_fedora_2008_10323_nagios_fc10.nasl
2009-01-13	Name : FreeBSD Ports: nagios File : nvt/freebsd_nagios0.nasl
2008-12-29	Name : Ubuntu USN-697-1 (imlib2) File : nvt/ubuntu_697_1.nasl
2008-12-29	Name : Ubuntu USN-698-2 (nagios3) File : nvt/ubuntu_698_2.nasl
2008-12-29	Name : Ubuntu USN-699-1 (blender) File : nvt/ubuntu_699_1.nasl
2008-11-27	Name : Nagios Cross-site Request Forgery (CSRF) and Authentication Bypass Vulnerability File : nvt/gb_nagios_csrf_n_auth_bypass_vuln.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
50457	Nagios Unspecified CGI Issue
50242	op5 Nagios Process Browser Addon Remote Authentication Bypass
50241	op5 Nagios Process Custom Form Remote Authentication Bypass
50240	Nagios Nagios Process Browser Addon Remote Authentication Bypass
50239	Nagios Nagios Process Custom Form Remote Authentication Bypass
49994	op5 Monitor Unspecified CSRF
49991	Nagios Unspecified CSRF

Nessus® Vulnerability Scanner

Date	Description
2009-07-21	Name : The remote openSUSE host is missing a security update. File : suse_11_0_nagios-090217.nasl - Type : ACT_GATHER_INFO
2009-07-21	Name : The remote openSUSE host is missing a security update. File : suse_11_1_nagios-090217.nasl - Type : ACT_GATHER_INFO
2009-07-20	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200907-15.nasl - Type : ACT_GATHER_INFO
2009-04-23	Name : The remote Fedora host is missing a security update. File : fedora_2008-10323.nasl - Type : ACT_GATHER_INFO
2009-04-23	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-698-1.nasl - Type : ACT_GATHER_INFO
2009-04-23	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-698-2.nasl - Type : ACT_GATHER_INFO
2009-04-23	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-698-3.nasl - Type : ACT_GATHER_INFO
2009-01-12	Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_d4a358d3e09a11dda7650030843d3802.nasl - Type : ACT_GATHER_INFO

Global Informations

Type	Count
Capec ID(s)	12
CWE ID(s)	4
Oval ID(s)	3
CPE ID(s)	71
osvdb(s)	7
Openvas Exploit(s)	13
Nessus® Exploit(s)	8

	Related
6.8	CVE-2008-5028
6.5	CVE-2008-5027
5	CVE-2008-6373
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 3 more Alert(s)