6.8 - USN-698-3

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	Nagios vulnerabilities

Informations
Name	USN-698-3	First vendor Publication	2008-12-23
Vendor	Ubuntu	Last vendor Modification	2008-12-23
Severity (Vendor)	N/A	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score	6.8	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the following package versions:

Ubuntu 8.04 LTS:
nagios2 2.11-1ubuntu1.4

After a standard system upgrade you need to restart Nagios to effect the necessary changes.

Details follow:

It was discovered that Nagios was vulnerable to a Cross-site request forgery (CSRF) vulnerability. If an authenticated nagios user were tricked into clicking a link on a specially crafted web page, an attacker could trigger commands to be processed by Nagios and execute arbitrary programs. This update alters Nagios behaviour by disabling submission of CMD_CHANGE commands. (CVE-2008-5028)

It was discovered that Nagios did not properly parse commands submitted using the web interface. An authenticated user could use a custom form or a browser addon to bypass security restrictions and submit unauthorized commands. (CVE-2008-5027)

Original Source

Url : http://www.ubuntu.com/usn/USN-698-3

CAPEC : Common Attack Pattern Enumeration & Classification

Id	Name
CAPEC-1	Accessing Functionality Not Properly Constrained by ACLs
CAPEC-13	Subverting Environment Variable Values
CAPEC-17	Accessing, Modifying or Executing Executable Files
CAPEC-39	Manipulating Opaque Client-based Data Tokens
CAPEC-45	Buffer Overflow via Symbolic Links
CAPEC-51	Poison Web Service Registry
CAPEC-59	Session Credential Falsification through Prediction
CAPEC-60	Reusing Session IDs (aka Session Replay)
CAPEC-76	Manipulating Input to File System Calls
CAPEC-77	Manipulating User-Controlled Variables
CAPEC-87	Forceful Browsing
CAPEC-104	Cross Zone Scripting

CWE : Common Weakness Enumeration

%	Id	Name
50 %	CWE-352	Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)
50 %	CWE-264	Permissions, Privileges, and Access Controls

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:20295

Oval ID:	oval:org.mitre.oval:def:20295
Title:	USN-698-2 -- nagios3 vulnerabilities
Description:	It was discovered that Nagios was vulnerable to a Cross-site request forgery (CSRF) vulnerability.
Family:	unix	Class:	patch
Reference(s):	USN-698-2 CVE-2008-5028 CVE-2008-5027	Version:	5
Platform(s):	Ubuntu 8.10	Product(s):	nagios3
Definition Synopsis:
Ubuntu 8.10 is installed AND nagios3 DPKG is earlier than 0:3.0.2-1ubuntu1.1

Definition Id: oval:org.mitre.oval:def:20718

Oval ID:	oval:org.mitre.oval:def:20718
Title:	USN-698-3 -- nagios2 vulnerabilities
Description:	It was discovered that Nagios was vulnerable to a Cross-site request forgery (CSRF) vulnerability.
Family:	unix	Class:	patch
Reference(s):	USN-698-3 CVE-2008-5028 CVE-2008-5027	Version:	5
Platform(s):	Ubuntu 8.04	Product(s):	nagios2
Definition Synopsis:
Ubuntu 8.04 is installed AND nagios2 DPKG is earlier than 0:2.11-1ubuntu1.4

Definition Id: oval:org.mitre.oval:def:21043

Oval ID:	oval:org.mitre.oval:def:21043
Title:	USN-698-1 -- nagios vulnerability
Description:	It was discovered that Nagios did not properly parse commands submitted using the web interface.
Family:	unix	Class:	patch
Reference(s):	USN-698-1 CVE-2008-5027	Version:	5
Platform(s):	Ubuntu 6.06	Product(s):	nagios
Definition Synopsis:
Ubuntu 6.06 is installed AND nagios-common DPKG is earlier than 2:1.3-cvs.20050402-8ubuntu8

CPE : Common Platform Enumeration

Type	Description	Count
Application	Nagios cpe:2.3:a:nagios:nagios:3.0.4:::::::* cpe:2.3:a:nagios:nagios:3.0.3:::::::* cpe:2.3:a:nagios:nagios:3.0.2:::::::* cpe:2.3:a:nagios:nagios:3.0.1:::::::* cpe:2.3:a:nagios:nagios:3.0:rc1:::::: cpe:2.3:a:nagios:nagios:3.0:alpha1:::::: cpe:2.3:a:nagios:nagios:3.0:alpha4:::::: cpe:2.3:a:nagios:nagios:3.0:beta7:::::: cpe:2.3:a:nagios:nagios:3.0:beta5:::::: cpe:2.3:a:nagios:nagios:3.0:alpha3:::::: cpe:2.3:a:nagios:nagios:3.0:beta4:::::: cpe:2.3:a:nagios:nagios:3.0:rc2:::::: cpe:2.3:a:nagios:nagios:3.0:::::::* cpe:2.3:a:nagios:nagios:3.0:alpha5:::::: cpe:2.3:a:nagios:nagios:3.0:alpha2:::::: cpe:2.3:a:nagios:nagios:3.0:beta6:::::: cpe:2.3:a:nagios:nagios:3.0:rc3:::::: cpe:2.3:a:nagios:nagios:3.0:beta3:::::: cpe:2.3:a:nagios:nagios:3.0:beta1:::::: cpe:2.3:a:nagios:nagios:3.0:beta2:::::: cpe:2.3:a:nagios:nagios:2.9:::::::* cpe:2.3:a:nagios:nagios:2.8:::::::* cpe:2.3:a:nagios:nagios:2.7:::::::* cpe:2.3:a:nagios:nagios:2.5:::::::* cpe:2.3:a:nagios:nagios:2.4:::::::* cpe:2.3:a:nagios:nagios:2.3.1:::::::* cpe:2.3:a:nagios:nagios:2.3:::::::* cpe:2.3:a:nagios:nagios:2.2:::::::* cpe:2.3:a:nagios:nagios:2.11:::::::* cpe:2.3:a:nagios:nagios:2.10:::::::* cpe:2.3:a:nagios:nagios:2.1.3:::::::* cpe:2.3:a:nagios:nagios:2.1:::::::* cpe:2.3:a:nagios:nagios:2.0rc2:::::::* cpe:2.3:a:nagios:nagios:2.0rc1:::::::* cpe:2.3:a:nagios:nagios:2.0b6:::::::* cpe:2.3:a:nagios:nagios:2.0b5:::::::* cpe:2.3:a:nagios:nagios:2.0b4:::::::* cpe:2.3:a:nagios:nagios:2.0b3:::::::* cpe:2.3:a:nagios:nagios:2.0b2:::::::* cpe:2.3:a:nagios:nagios:2.0b1:::::::* cpe:2.3:a:nagios:nagios:2.0.2:::::::* cpe:2.3:a:nagios:nagios:2.0.1:::::::* cpe:2.3:a:nagios:nagios:2.0:::::::* cpe:2.3:a:nagios:nagios:1.4.1:::::::* cpe:2.3:a:nagios:nagios:1.4:::::::* cpe:2.3:a:nagios:nagios:1.3:::::::* cpe:2.3:a:nagios:nagios:1.2:::::::* cpe:2.3:a:nagios:nagios:1.1:::::::* cpe:2.3:a:nagios:nagios:1.0b6:::::::* cpe:2.3:a:nagios:nagios:1.0b5:::::::* cpe:2.3:a:nagios:nagios:1.0b4:::::::* cpe:2.3:a:nagios:nagios:1.0b3:::::::* cpe:2.3:a:nagios:nagios:1.0b2:::::::* cpe:2.3:a:nagios:nagios:1.0b1:::::::* cpe:2.3:a:nagios:nagios:1.0_b3:::::::* cpe:2.3:a:nagios:nagios:1.0_b2:::::::* cpe:2.3:a:nagios:nagios:1.0_b1:::::::* cpe:2.3:a:nagios:nagios:1.0:::::::* cpe:2.3:a:nagios:nagios:::::::: cpe:2.3:a:nagios:nagios:-:::::::*	60
Application	op5 Monitor cpe:2.3:a:op5:monitor:3.3.3:::::::* cpe:2.3:a:op5:monitor:3.3.2:::::::* cpe:2.3:a:op5:monitor:3.3.1:::::::* cpe:2.3:a:op5:monitor:3.2.4:::::::* cpe:2.3:a:op5:monitor:3.2:::::::* cpe:2.3:a:op5:monitor:3.0.0:::::::* cpe:2.3:a:op5:monitor:3.0:::::::* cpe:2.3:a:op5:monitor:2.8:::::::* cpe:2.3:a:op5:monitor:2.6:::::::* cpe:2.3:a:op5:monitor:2.4:::::::*	10

OpenVAS Exploits

Date	Description
2009-07-29	Name : Gentoo Security Advisory GLSA 200907-15 (nagios-core) File : nvt/glsa_200907_15.nasl
2009-06-05	Name : Ubuntu USN-698-1 (nagios) File : nvt/ubuntu_698_1.nasl
2009-06-05	Name : Ubuntu USN-698-3 (nagios2) File : nvt/ubuntu_698_3.nasl
2009-05-06	Name : Nagios Web Interface Privilege Escalation Vulnerability File : nvt/nagios_cve_2008_5027.nasl
2009-03-23	Name : Ubuntu Update for nagios vulnerability USN-698-1 File : nvt/gb_ubuntu_USN_698_1.nasl
2009-03-23	Name : Ubuntu Update for nagios2 vulnerabilities USN-698-3 File : nvt/gb_ubuntu_USN_698_3.nasl
2009-02-16	Name : Fedora Update for nagios FEDORA-2008-10323 File : nvt/gb_fedora_2008_10323_nagios_fc10.nasl
2009-01-13	Name : FreeBSD Ports: nagios File : nvt/freebsd_nagios0.nasl
2008-12-29	Name : Ubuntu USN-697-1 (imlib2) File : nvt/ubuntu_697_1.nasl
2008-12-29	Name : Ubuntu USN-698-2 (nagios3) File : nvt/ubuntu_698_2.nasl
2008-12-29	Name : Ubuntu USN-699-1 (blender) File : nvt/ubuntu_699_1.nasl
2008-11-27	Name : Nagios Cross-site Request Forgery (CSRF) and Authentication Bypass Vulnerability File : nvt/gb_nagios_csrf_n_auth_bypass_vuln.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
50242	op5 Nagios Process Browser Addon Remote Authentication Bypass
50241	op5 Nagios Process Custom Form Remote Authentication Bypass
50240	Nagios Nagios Process Browser Addon Remote Authentication Bypass
50239	Nagios Nagios Process Custom Form Remote Authentication Bypass
49994	op5 Monitor Unspecified CSRF
49991	Nagios Unspecified CSRF

Nessus® Vulnerability Scanner

Date	Description
2009-07-21	Name : The remote openSUSE host is missing a security update. File : suse_11_0_nagios-090217.nasl - Type : ACT_GATHER_INFO
2009-07-21	Name : The remote openSUSE host is missing a security update. File : suse_11_1_nagios-090217.nasl - Type : ACT_GATHER_INFO
2009-07-20	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200907-15.nasl - Type : ACT_GATHER_INFO
2009-04-23	Name : The remote Fedora host is missing a security update. File : fedora_2008-10323.nasl - Type : ACT_GATHER_INFO
2009-04-23	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-698-1.nasl - Type : ACT_GATHER_INFO
2009-04-23	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-698-2.nasl - Type : ACT_GATHER_INFO
2009-04-23	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-698-3.nasl - Type : ACT_GATHER_INFO
2009-01-12	Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_d4a358d3e09a11dda7650030843d3802.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 12:05:34	Multiple Updates

Global Informations

Type	Count
Capec ID(s)	12
CWE ID(s)	3
Oval ID(s)	3
CPE ID(s)	70
osvdb(s)	6
Openvas Exploit(s)	12
Nessus® Exploit(s)	8

	Related
6.8	CVE-2008-5028
6.5	CVE-2008-5027
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 2 more Alert(s)