base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565.

The remote SUSE Linux SLED12 / SLED_SAP12 / SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1629-1 advisory.

  - base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios     group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote     attackers using CVE-2016-9565. (CVE-2016-9566)

  - UNIX Symbolic Link (Symlink) Following vulnerability in the cronjob shipped with nagios of SUSE Linux     Enterprise Server 12, SUSE Linux Enterprise Server 11; openSUSE Factory allows local attackers to cause     cause DoS or potentially escalate privileges by winning a race. This issue affects: SUSE Linux Enterprise     Server 12 nagios version 3.5.1-5.27 and prior versions. SUSE Linux Enterprise Server 11 nagios version     3.0.6-1.25.36.3.1 and prior versions. openSUSE Factory nagios version 4.4.5-2.1 and prior versions.
    (CVE-2019-3698)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Several issues were corrected in nagios3, a monitoring and management system for hosts, services and networks.

CVE-2018-18245

Maximilian Boehner of usd AG found a cross-site scripting (XSS) vulnerability in Nagios Core. This vulnerability allows attackers to place malicious JavaScript code into the web frontend through manipulation of plugin output. In order to do this the attacker needs to be able to manipulate the output returned by nagios checks, e.g. by replacing a plugin on one of the monitored endpoints. Execution of the payload then requires that an authenticated user creates an alert summary report which contains the corresponding output.

CVE-2016-9566

It was discovered that local users with access to an account in the nagios group are able to gain root privileges via a symlink attack on the debug log file.

CVE-2014-1878

An issue was corrected that allowed remote attackers to cause a stack-based buffer overflow and subsequently a denial of service (segmentation fault) via a long message to cmd.cgi.

CVE-2013-7205 | CVE-2013-7108

A flaw was corrected in Nagios that could be exploited to cause a denial of service. This vulnerability is induced due to an off-by-one error within the process_cgivars() function, which can be exploited to cause an out-of-bounds read by sending a specially crafted key value to the Nagios web UI.

For Debian 8 'Jessie', these problems have been fixed in version 3.5.1.dfsg-2+deb8u1.

We recommend that you upgrade your nagios3 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to close CVE

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201710-20 (Nagios: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Nagios. Please review       the referenced CVE identifiers for details.
  Impact :

    A remote attacker could possibly escalate privileges to root, thus       allowing the execution of arbitrary code, by leveraging CVE-2016-9565.
      Additionally, a local attacker could cause a Denial of Service condition       against arbitrary processes due to the improper dropping of privileges.
  Workaround :

    There is no known workaround at this time.

Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read.

Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation fault) via a long message to cmd.cgi.

Various command-execution flaws were found in the Snoopy library included with Nagios. These flaws allowed remote attackers to execute arbitrary commands by manipulating Nagios HTTP headers.

A privilege escalation flaw was found in the way Nagios handled log files. An attacker able to control the Nagios logging configuration (the 'nagios' user/group) could use this flaw to elevate their privileges to root.

Off-by-one error in the process_cgivars function in contrib/daemonchk.c in Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list, which triggers a heap-based buffer over-read.

rss-newsfeed.php in Nagios Core 3.4.4, 3.5.1, and earlier, when MAGPIE_CACHE_ON is set to 1, allows local users to overwrite arbitrary files via a symlink attack on /tmp/magpie_cache.

The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metacharacters in https URLs.

The remote Ubuntu 14.04 LTS / 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-3253-1 advisory.

    It was discovered that Nagios incorrectly handled certain long strings. A remote authenticated attacker     could use this issue to cause Nagios to crash, resulting in a denial of service, or possibly obtain     sensitive information. (CVE-2013-7108, CVE-2013-7205)

    It was discovered that Nagios incorrectly handled certain long messages to cmd.cgi. A remote attacker     could possibly use this issue to cause Nagios to crash, resulting in a denial of service. (CVE-2014-1878)

    Dawid Golunski discovered that Nagios incorrectly handled symlinks when accessing log files. A local     attacker could possibly use this issue to elevate privileges. In the default installation of Ubuntu, this     should be prevented by the Yama link restrictions. (CVE-2016-9566)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201702-26 (Nagios: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Nagios. Please review       the CVE identifiers referenced below for details.
  Impact :

    A local attacker, who either is already Nagios&rsquo;s system user or       belongs to Nagios&rsquo;s group, could potentially escalate privileges.
    In addition, a remote attacker could read or write to arbitrary files by       spoofing a crafted response from the Nagios RSS feed server.
  Workaround :

    There is no known workaround at this time.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2017:0259 advisory.

    Nagios is a program that monitors hosts and services on your network, and has the ability to send email or     page alerts when a problem arises or is resolved.

    Security Fix(es):

    * It was found that an attacker who could control the content of an RSS feed could execute code remotely     using the Nagios web interface. This flaw could be used to gain access to the remote system and in some     scenarios control over the system. (CVE-2016-9565)

    * A privilege escalation flaw was found in the way Nagios handled log files. An attacker able to control     the Nagios logging configuration (the 'nagios' user/group) could use this flaw to elevate their privileges     to root. (CVE-2016-9566)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update for nagios is now available for Red Hat Gluster Storage 3.1 for RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Nagios is a program that monitors hosts and services on your network, and has the ability to send email or page alerts when a problem arises or is resolved.

Security Fix(es) :

* It was found that an attacker who could control the content of an RSS feed could execute code remotely using the Nagios web interface.
This flaw could be used to gain access to the remote system and in some scenarios control over the system. (CVE-2016-9565)

* A privilege escalation flaw was found in the way Nagios handled log files. An attacker able to control the Nagios logging configuration (the 'nagios' user/group) could use this flaw to elevate their privileges to root. (CVE-2016-9566)

This update for icinga includes various upstream fixes and the following security security fixes :

  - icinga was updated to version 1.14.0

  - the classic-UI was vulnerable to a cross site scripting     attack (CVE-2015-8010, boo#952777)

  - A user with nagios privileges could have gained root     privileges by placing a symbolic link at the logfile     location (CVE-2016-9566, boo#1014637)

The remote host is affected by the vulnerability described in GLSA-201612-51 (Icinga: Privilege escalation)

    Icinga daemon was found to perform unsafe operations when handling the       log file.
  Impact :

    A local attacker, who either is already Icinga&rsquo;s system user or       belongs to Icinga&rsquo;s group, could potentially escalate privileges.
  Workaround :

    There is no known workaround at this time.

Nagios was found to be vulnerable to two security issues that, when combined, lead to a remote root code execution vulnerability.
Fortunately, the hardened permissions of the Debian package limit the effect of those to information disclosure, but privilege escalation to root is still possible locally.

CVE-2016-9565

Improper sanitization of RSS feed input enables unauthenticated remote read and write of arbitrary files which may lead to remote code execution if the web root is writable.

CVE-2016-9566

Unsafe logfile handling allows unprivileged users to escalate their privileges to root. In wheezy, this is possible only through the debug logfile which is disabled by default.

For Debian 7 'Wheezy', these problems have been fixed in version 3.4.1-3+deb7u3.

We recommend that you upgrade your nagios3 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
197049	SUSE SLED12 / SLES12 Security Update : SUSE Manager Client Tools Beta (SUSE-SU-2024:1629-1)	Nessus	SuSE Local Security Checks	high
119875	Debian DLA-1615-1 : nagios3 security update	Nessus	Debian Local Security Checks	high
105984	Fedora 27 : nagios (2017-d270e932a3)	Nessus	Fedora Local Security Checks	critical
103913	GLSA-201710-20 : Nagios: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
103651	Amazon Linux AMI : nagios (ALAS-2017-899)	Nessus	Amazon Linux Local Security Checks	critical
99182	Ubuntu 14.04 LTS / 16.04 LTS : Nagios vulnerabilities (USN-3253-1)	Nessus	Ubuntu Local Security Checks	high
97269	GLSA-201702-26 : Nagios: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
97061	RHEL 6 : nagios (RHSA-2017:0259)	Nessus	Red Hat Local Security Checks	critical
97060	RHEL 7 : nagios (RHSA-2017:0258)	Nessus	Red Hat Local Security Checks	critical
96545	openSUSE Security Update : icinga (openSUSE-2017-100)	Nessus	SuSE Local Security Checks	high
96226	GLSA-201612-51 : Icinga: Privilege escalation	Nessus	Gentoo Local Security Checks	high
96012	Debian DLA-751-1 : nagios3 security update	Nessus	Debian Local Security Checks	critical

Detections

Analytics

CVE-2016-9566

high

Tenable Plugins

high

high

critical

critical

critical

high

critical

critical

critical

high

high

critical