On 07/27/13 03:53, Axel Beckert wrote:
Hi Henrik,
On Fri, Jul 26, 2013 at 10:34:21AM +0200, Axel Beckert wrote:
On Thu, Jul 25, 2013 at 06:09:40PM +0200, Henrik Størner wrote:
Does a CVE id exist for that vulnerability?
No. I suppose I could figure out how to request one - unless someone else already knows how ?
I requested one via the Debian Security Team.
CVE-2013-4173[1] has been assigned to this issue. Thanks to Salvatore Bonaccorso for his help.
[1] http://article.gmane.org/gmane.comp.security.oss.general/10728
In case you want to request one yourself next time, see https://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html for instructions.
Kind regards, Axel Beckert
Hi Axel, Henrik
I noticed in the CVE link provided the following:
--[snip]--
If access to administrative commands is limited by use of the "--admin-senders" option for the "xymond" daemon, then the attack is restricted to the commands sent from the IP-adresses listed in the --admin-senders access list. However, the default configuration permits these commands to be sent from any IP. --[snip]--
However, I checked several Xymon and Hobbit installations that we manage and each of them has the --admin-senders=127.0.0.1,$BBSERVERIP (for hobbit) and --admin-senders=127.0.0.1,$XYMONSERVERIP (for xymon) set.
I know for a fact that these settings were not manually added to the xymond daemon CMDs on our servers, so this appears to be the default, which means that by default Xymon (and Hobbit) systems are "not vulnerable."
Am I missing something?
Thanks!
-- Bill Arlofski Reverse Polarity, LLC http://www.revpol.com/ -- Not responsible for anything below this line --