Munin Resource Monitoring < 2.0.6 Multiple Vulnerabilities

low Nessus Network Monitor Plugin ID 6948

Synopsis

The remote web server is utilizing a resource monitoring tool

Description

Munin is a networked resource monitoring tool. Versions of Munin prior to 2.0.6 are affected by the following vulnerabilities :

- The qmailscan plugin allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names (CVE-2012-2103).
- Munin stores plugin state files that run as root in the same group-writable directory as non-root plugins, which allows local users to execute arbitrary code by replacing a state file, as demonstrated using the smart_ plugin (CVE-2012-3512).
- munin-cgi-graph, when running as a CGI module under Apache, allows remote attackers to load new configurations and create files in arbitrary directories via the logdir command (CVE-2012-3513)

Solution

Update the affected munin, munin-master and / or munin-node packages to 2.0.6-1 or the latest release.

See Also

http://munin-monitoring.org/ticket/1238

http://munin-monitoring.org/ticket/1234

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668778

Plugin Details

Severity: Low

ID: 6948

Family: Web Servers

Published: 7/26/2013

Updated: 3/6/2019

Nessus ID: 66117

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:munin-monitoring:munin

Patch Publication Date: 2/26/2013

Vulnerability Publication Date: 2/26/2013

Reference Information

CVE: CVE-2012-2103, CVE-2012-3512, CVE-2012-3513

BID: 53031, 55698, 56398