Hi Henrik,
On Thu, Jul 25, 2013 at 07:35:23PM +0200, Henrik Størner wrote:
If access to administrative commands is limited by use of the "--admin-senders" option for the "xymond" daemon, then the attack is restricted to the commands sent from the IP-adresses listed in the --admin-senders access list. However, the default configuration permits these commands to be sent from any IP.
At least for 4.3.11 I could not reproduce the fact that the default config permits these commands to be sent from any IP.
The installed tasks.cfg as well as tasks.cfg.DIST both contain these lines:
[xymond]
[...]
CMD xymond --pidfile=$XYMONSERVERLOGS/xymond.pid
--restart=$XYMONTMP/xymond.chk --checkpoint-file=$XYMONTMP/xymond.chk --checkpoint-interval=600
--log=$XYMONSERVERLOGS/xymond.log
--admin-senders=127.0.0.1,$XYMONSERVERIP
^^^^^^^^^^^^^^^^^^^^^^^^
--store-clientlogs=!msgs
(This does not lower the severity of the missing basename call in xymond_rrd, but may lower the impact with regards to how many installations are remotely vulnerable.)
Kind regards, Axel Beckert-- Axel Beckert <beckert at phys.ethz.ch> support: +41 44 633 26 68 IT Services Group, HPT H 6 voice: +41 44 633 41 89 Departement of Physics, ETH Zurich CH-8093 Zurich, Switzerland http://nic.phys.ethz.ch/