| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 Aug 2014 11:13:47 +0200 From: <CERT@...ekom.de> To: <BugTraq@...urityfocus.com> CC: <CERT@...ekom.de> Subject: Deutsche Telekom CERT Advisory [DTC-A-20140820-001] check_mk vulnerabilities Deutsche Telekom CERT Advisory [DTC-A-20140820-001] Summary: Several vulnerabilities were found in check_mk prior versions 1.2.4p4 and 1.2.5i4. The vulnerabilities are: 1 - Reflected Cross-Site Scripting (XSS) 2 - write access to config files (.mk files) 3 - arbitrary code execution Recommendations: Install software release 1.2.4p4, 1.2.5i4 or later. Homepage: http://mathias-kettner.de/check_mk.html Details: a) application b) problem c) CVSS d) detailed description ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ a1) check_mk (git hash: 4b71709) [CVE-2014-5338] b1) Reflected Cross-Site Scripting (XSS) c1) CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C d1) The check_mk application is susceptible to reflected XSS attacks. This is mainly the result of improper output encoding. Reflected XSS can be triggered by sending a malicious URL to a user of the check_mk application. Once the XSS attack is triggered, the attacker has access to the full check_mk (and nagios) application with the access rights of the logged in victim. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ a2) check_mk (git hash: 4b71709) [CVE-2014-5339] b2) Write access to config (.mk) files in arbitrary places on the filesystem c2) CVSS 4.9 AV:N/AC:M/Au:S/C:N/I:P/A:P d2) The check_mk application does allow an attacker to write check_mk config files (.mk files) on arbitrary locations on the server filesystem ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ a3) check_mk (git hash: 4b71709) [CVE-2014-5340] b3) Code executing due to insecure input handling c3) CVSS 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C d3) The check_mk applications uses insecure API calls, which allow an attacker to execute arbitrary code on the server by issuing just a single URL. The reason for this is the usage of the insecure "pickle" API call. Additionally, there are several locations in the code which allow calling this method without any CSRF tokens in place. This flaw can also be triggered as a non-admin user (for instance as a normal monitoring user, who only has limited capabilities in the application). Deutsche Telekom Cyber Defense & CERT Friedrich-Ebert-Allee 140, 53113 Bonn, Germany +49 800 DTAG CERT (Tel.) E-Mail: cert@...ekom.de Life is for sharing. Deutsche Telekom AG Supervisory Board: Prof. Dr. Ulrich Lehner (Chairman) Board of Management: Timotheus Höttges (Chairman), Dr. Thomas Kremer, Reinhard Clemens, Niek Jan van Damme, Thomas Dannenfeldt, Claudia Nemat, Prof. Dr. Marion Schick Commercial register: Amtsgericht Bonn HRB 6794 Registered office: Bonn Big changes start small – conserve resources by not printing every e-mail.
Powered by blists - more mailing lists