lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <F431B9A0925EB54789AB192CE6A35EFF36FD419DBD@HE111649.emea1.cds.t-internal.com>
Date: Wed, 20 Aug 2014 11:13:47 +0200
From: <CERT@...ekom.de>
To: <BugTraq@...urityfocus.com>
CC: <CERT@...ekom.de>
Subject: Deutsche Telekom CERT Advisory [DTC-A-20140820-001] check_mk
 vulnerabilities

Deutsche Telekom CERT Advisory [DTC-A-20140820-001] 
 
Summary:
Several vulnerabilities were found in check_mk prior versions 1.2.4p4 and 1.2.5i4.
The vulnerabilities are:
1 - Reflected Cross-Site Scripting (XSS)
2 - write access to config files (.mk files) 
3 - arbitrary code execution 
 
Recommendations:
Install software release 1.2.4p4, 1.2.5i4 or later. 

Homepage: http://mathias-kettner.de/check_mk.html
 
Details:
a) application
b) problem
c) CVSS
d) detailed description
 
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
a1) check_mk (git hash: 4b71709) [CVE-2014-5338]
 
b1) Reflected Cross-Site Scripting (XSS)
 
c1) CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
 
d1) The check_mk application is susceptible to reflected XSS attacks. This is mainly the result of improper output encoding. Reflected XSS can be triggered by sending a malicious URL to a user of the check_mk application. Once the XSS attack is triggered, the attacker has access to the full check_mk (and nagios) application with the access rights of the logged in victim.
 
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 
a2) check_mk (git hash: 4b71709) [CVE-2014-5339]
 
b2) Write access to config (.mk) files in arbitrary places on the filesystem
 
c2) CVSS 4.9 AV:N/AC:M/Au:S/C:N/I:P/A:P
 
d2) The check_mk application does allow an attacker to write check_mk config files (.mk files) on arbitrary locations on the server filesystem
 
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 
a3) check_mk (git hash: 4b71709) [CVE-2014-5340]
 
b3) Code executing due to insecure input handling
 
c3) CVSS 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
 
d3) The check_mk applications uses insecure API calls, which allow an attacker to execute arbitrary code on the server by issuing just a single URL. The reason for this is the usage of the insecure "pickle" API call. 
Additionally, there are several locations in the code which allow calling this method without any CSRF tokens in place. This flaw can also be triggered as a non-admin user (for instance as a normal monitoring user, who only has limited capabilities in the application).


Deutsche Telekom Cyber Defense & CERT 
Friedrich-Ebert-Allee 140, 53113 Bonn, Germany
+49 800 DTAG CERT (Tel.)
E-Mail: cert@...ekom.de
Life is for sharing.
 
Deutsche Telekom AG
Supervisory Board: Prof. Dr. Ulrich Lehner (Chairman)
Board of Management: Timotheus Höttges (Chairman),
Dr. Thomas Kremer, Reinhard Clemens, Niek Jan van Damme,
Thomas Dannenfeldt, Claudia Nemat, Prof. Dr. Marion Schick
Commercial register: Amtsgericht Bonn HRB 6794
Registered office: Bonn
 
Big changes start small – conserve resources by not printing every e-mail.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ