Xymon 4.3.29 Released - Important Security Update
Hello all,
Xymon 4.3.29 has been released to Sourceforge and should be propagating to mirrors as I write this. Along with an assortment of bug fixes and compilation compatibility fixes for recent glibc systems, this version contains several fixes for security vulnerabilities within some CGI parsing. Although some of these overflows are not exploitable, others, including an XSS vulnerability are. Fixes beyond these CVEs have been made throughout the library, web, and network code to help reduce the likelihood of similar issues in other areas. As a result, all users are encouraged to upgrade.
The specific CVEs in question are: ? CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473, ? CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486
Henrik and I would like to extend our thanks to the University of Cambridge Computer Security Incident Response Team, which reported the issues and helped validate their resolution.
Full release notes and other changes are available with the released tarball at https://sourceforge.net/projects/xymon/files/Xymon/4.3.29/
As always, thank you to everyone who has contributed patches, ideas, code, and feature requests to the project!
Sincerely, Japheth "J.C." Cleaver
The RPMs available at Terabithia have been updated to 4.3.29-1 in the /testing/ repositories at the moment.
If no specific issues are found (please report!), I'll promote these into the production repo in a day or two. (An announcement will be made here.)
Please note that I've built these only for EL5/6/7/8 and F28+ at the moment. If there are requests for older RPM distributions, I can spin RPMs for them as well, but I'd like to begin pruning them a bit if they're not necessary.
Regards, -jc
On 7/23/2019 8:57 AM, Japheth Cleaver wrote:
Hello all,
Xymon 4.3.29 has been released to Sourceforge and should be propagating to mirrors as I write this. Along with an assortment of bug fixes and compilation compatibility fixes for recent glibc systems, this version contains several fixes for security vulnerabilities within some CGI parsing. Although some of these overflows are not exploitable, others, including an XSS vulnerability are. Fixes beyond these CVEs have been made throughout the library, web, and network code to help reduce the likelihood of similar issues in other areas. As a result, all users are encouraged to upgrade.
The specific CVEs in question are: ? CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473, ? CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486
Henrik and I would like to extend our thanks to the University of Cambridge Computer Security Incident Response Team, which reported the issues and helped validate their resolution.
Full release notes and other changes are available with the released tarball at https://sourceforge.net/projects/xymon/files/Xymon/4.3.29/
As always, thank you to everyone who has contributed patches, ideas, code, and feature requests to the project!
Sincerely, Japheth "J.C." Cleaver
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
On 7/23/19 9:08 AM, Japheth Cleaver wrote:
Lereta Email Checkpoint: External email. Please make sure you trust this source before clicking links or opening attachments.
Just an FYI. When I updated my CentOS 7 xymon server by building from source, it refused to include the openssl libraries until I installed the libtirpc-devel package. Not sure why it is necessary.
-- Stephen
On 7/24/2019 7:01 AM, Stephen Carville (xymon list) wrote:
On 7/23/19 9:08 AM, Japheth Cleaver wrote:
Lereta Email Checkpoint: External email. Please make sure you trust this source before clicking links or opening attachments.
Just an FYI. When I updated my CentOS 7 xymon server by building from source, it refused to include the openssl libraries until I installed the libtirpc-devel package. Not sure why it is necessary.
Thanks, I'll make a note of that on the RPM site. The underlying reason here is that GCC's rpc interface was removed after a long deprecation, in favor of libtirpc. It was easier to simply test for that and move forward on use. This will also be necessary for 4.4 (IPv6) and was the main cause of the recent Fedora FTBFS's.
https://fedoraproject.org/wiki/Changes/SunRPCRemoval
Regards, -jc
On 7/24/19 6:39 PM, Japheth Cleaver wrote:
On 7/24/2019 7:01 AM, Stephen Carville (xymon list) wrote:
On 7/23/19 9:08 AM, Japheth Cleaver wrote:
Just an FYI.? When I updated my CentOS 7 xymon server by building from source, it refused to include the openssl libraries until I installed the libtirpc-devel package.? Not sure why it is necessary.
Thanks, I'll make a note of that on the RPM site. The underlying reason here is that GCC's rpc interface was removed after a long deprecation, in favor of libtirpc. It was easier to simply test for that and move forward on use. This will also be necessary for 4.4 (IPv6) and was the main cause of the recent Fedora FTBFS's.
OK. It makes sense now. Thank you.
https://fedoraproject.org/wiki/Changes/SunRPCRemoval
Regards, -jc
-- Stephen
The Terabithia Xymon 4.3.29-1 packages have been updated in the production repositories and should be available for download at https://terabithia.org/rpms/xymon/
As a reminder, EL3 and EL4 and Fedora 18-27 have been retired -- those repos have been moved to the /retired/ directory.
As EPEL8 has not yet been released, an fping package is available in the EL8 repository, as well as man2html (needed for rebuilds).
Regards, -jc
On 7/23/2019 9:08 AM, Japheth Cleaver wrote:
The RPMs available at Terabithia have been updated to 4.3.29-1 in the /testing/ repositories at the moment.
If no specific issues are found (please report!), I'll promote these into the production repo in a day or two. (An announcement will be made here.)
Please note that I've built these only for EL5/6/7/8 and F28+ at the moment. If there are requests for older RPM distributions, I can spin RPMs for them as well, but I'd like to begin pruning them a bit if they're not necessary.
Regards, -jc
On 7/23/2019 8:57 AM, Japheth Cleaver wrote:
Hello all,
Xymon 4.3.29 has been released to Sourceforge and should be propagating to mirrors as I write this. Along with an assortment of bug fixes and compilation compatibility fixes for recent glibc systems, this version contains several fixes for security vulnerabilities within some CGI parsing. Although some of these overflows are not exploitable, others, including an XSS vulnerability are. Fixes beyond these CVEs have been made throughout the library, web, and network code to help reduce the likelihood of similar issues in other areas. As a result, all users are encouraged to upgrade.
The specific CVEs in question are: ? CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473, ? CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486
Henrik and I would like to extend our thanks to the University of Cambridge Computer Security Incident Response Team, which reported the issues and helped validate their resolution.
Full release notes and other changes are available with the released tarball at https://sourceforge.net/projects/xymon/files/Xymon/4.3.29/
As always, thank you to everyone who has contributed patches, ideas, code, and feature requests to the project!
Sincerely, Japheth "J.C." Cleaver
On 7/23/2019 8:57 AM, Japheth Cleaver wrote:
Hello all,
Xymon 4.3.29 has been released to Sourceforge and should be propagating to mirrors as I write this. Along with an assortment of bug fixes and compilation compatibility fixes for recent glibc systems, this version contains several fixes for security vulnerabilities within some CGI parsing. Although some of these overflows are not exploitable, others, including an XSS vulnerability are. Fixes beyond these CVEs have been made throughout the library, web, and network code to help reduce the likelihood of similar issues in other areas. As a result, all users are encouraged to upgrade.
The specific CVEs in question are: ? CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473, ? CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486
For clarification, the above CVEs only affect the *server* side of the Xymon monitoring system. Xymon clients are not affected.
-jc
gcc prior to 4.6 gives the errors:
acklog.c: In function ?do_acklog?: acklog.c:129:12: error: #pragma GCC diagnostic not allowed inside functions acklog.c:130:12: error: #pragma GCC diagnostic not allowed inside functions acklog.c:132:12: error: #pragma GCC diagnostic not allowed inside functions
Discussion of other software with a similar problem suggests a gcc version test for those. Or just comment out those lines, for those who don't want to install a newer gcc and don't want to wait for a version test to be added.
On Jul 23, 2019, at 12:11, Japheth Cleaver <cleaver at terabithia.org> wrote:
On 7/23/2019 8:57 AM, Japheth Cleaver wrote:
Hello all,
Xymon 4.3.29 has been released to Sourceforge and should be propagating to mirrors as I write this. Along with an assortment of bug fixes and compilation compatibility fixes for recent glibc systems, this version contains several fixes for security vulnerabilities within some CGI parsing. Although some of these overflows are not exploitable, others, including an XSS vulnerability are. Fixes beyond these CVEs have been made throughout the library, web, and network code to help reduce the likelihood of similar issues in other areas. As a result, all users are encouraged to upgrade.
The specific CVEs in question are: CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473, CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486
For clarification, the above CVEs only affect the *server* side of the Xymon monitoring system. Xymon clients are not affected.
-jc
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Probably also in all the following: -bash-4.1$ find . -type f -exec grep pragma {} + ./xymonnet/xymonnet.c: #pragma GCC diagnostic push ./xymonnet/xymonnet.c: #pragma GCC diagnostic ignored "-Wformat-truncation" ./xymonnet/xymonnet.c: #pragma GCC diagnostic pop ./lib/holidays.c: #pragma GCC diagnostic push ./lib/holidays.c: #pragma GCC diagnostic ignored "-Wformat-truncation" ./lib/holidays.c: #pragma GCC diagnostic pop ./lib/acklog.c: #pragma GCC diagnostic push ./lib/acklog.c: #pragma GCC diagnostic ignored "-Wformat-truncation" ./lib/acklog.c: #pragma GCC diagnostic pop ./lib/tree.c:#pragma GCC diagnostic push ./lib/tree.c:#pragma GCC diagnostic ignored "-Wunused-result" ./lib/tree.c:#pragma GCC diagnostic pop ./lib/htmllog.c: #pragma GCC diagnostic push ./lib/htmllog.c: #pragma GCC diagnostic ignored "-Wformat-truncation" ./lib/htmllog.c: #pragma GCC diagnostic pop ./lib/stackio.c: #pragma GCC diagnostic push ./lib/stackio.c: #pragma GCC diagnostic ignored "-Wformat-truncation" ./lib/stackio.c: #pragma GCC diagnostic pop ./lib/timefunc.c: #pragma GCC diagnostic push ./lib/timefunc.c: #pragma GCC diagnostic ignored "-Wformat-truncation" ./lib/timefunc.c: #pragma GCC diagnostic pop ./lib/misc.c: #pragma GCC diagnostic push ./lib/misc.c: #pragma GCC diagnostic ignored "-Wformat-truncation" ./lib/misc.c: #pragma GCC diagnostic pop ./lib/eventlog.c: #pragma GCC diagnostic push ./lib/eventlog.c: #pragma GCC diagnostic ignored "-Wformat-truncation" ./lib/eventlog.c: #pragma GCC diagnostic pop
On Jul 24, 2019, at 08:46, Richard L. Hamilton <rlhamil2 at gmail.com> wrote:
gcc prior to 4.6 gives the errors:
acklog.c: In function ?do_acklog?: acklog.c:129:12: error: #pragma GCC diagnostic not allowed inside functions acklog.c:130:12: error: #pragma GCC diagnostic not allowed inside functions acklog.c:132:12: error: #pragma GCC diagnostic not allowed inside functions
Discussion of other software with a similar problem suggests a gcc version test for those. Or just comment out those lines, for those who don't want to install a newer gcc and don't want to wait for a version test to be added.
On Jul 23, 2019, at 12:11, Japheth Cleaver <cleaver at terabithia.org> wrote:
On 7/23/2019 8:57 AM, Japheth Cleaver wrote:
Hello all,
Xymon 4.3.29 has been released to Sourceforge and should be propagating to mirrors as I write this. Along with an assortment of bug fixes and compilation compatibility fixes for recent glibc systems, this version contains several fixes for security vulnerabilities within some CGI parsing. Although some of these overflows are not exploitable, others, including an XSS vulnerability are. Fixes beyond these CVEs have been made throughout the library, web, and network code to help reduce the likelihood of similar issues in other areas. As a result, all users are encouraged to upgrade.
The specific CVEs in question are: CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473, CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486
For clarification, the above CVEs only affect the *server* side of the Xymon monitoring system. Xymon clients are not affected.
-jc
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Hi,
On Tue, Jul 23, 2019 at 08:57:49AM -0700, Japheth Cleaver wrote:
Although some of these overflows are not exploitable, others, including an XSS vulnerability are. [... ? CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473, ? CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486
Can either you or Graham get a bit more into the details regarding the impact of any of these vulnerabilities ? or point out a posting where they are explained in more detail? So far I wasn't able to dig up any posting or similar, e.g. by the Cambridge CSIRT or Graham.
Currently the severity as well as the actual impact of these issues is quite unclear ? also because the CVE-IDs all still say "RESERVED".
Regards, Axel--
,''. | Axel Beckert <abe at debian.org>, https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin . ' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 - | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
On 7/24/2019 6:54 AM, Axel Beckert wrote:
Hi,
On Tue, Jul 23, 2019 at 08:57:49AM -0700, Japheth Cleaver wrote:
Although some of these overflows are not exploitable, others, including an XSS vulnerability are. [... ? CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473, ? CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486 Can either you or Graham get a bit more into the details regarding the impact of any of these vulnerabilities ? or point out a posting where they are explained in more detail? So far I wasn't able to dig up any posting or similar, e.g. by the Cambridge CSIRT or Graham.
Currently the severity as well as the actual impact of these issues is quite unclear ? also because the CVE-IDs all still say "RESERVED".
Regards, Axel
CSIRT may still have a write-up pending on these, but it is believed that the only impact are segfaults when passed in invalid/overflow input. This is typically a hostsvc being parsed and assigned to a PATH_MAX-sized variable via sprintf rather than snprintf. The buffer overflow occurs, but it is not being passed unprocessed to a shell. In some cases passed parameters are passed through html quoting, thereby exceeding intended size through " " -> " " inflation, which leads to a buffer overflow when (unsafely) assigning to error output.
There was an initial concern about unparsed input being handed to xymongen during report generation, however this is passed as a single execv argument rather than via shell processing. This could lead to erroneous xymongen resource use by anyone with access to /xymon-seccgi/report.sh, however the same could be said for any (legitimate) access here.
The XSS (CVE-2019-13274) is trivially exploitable by attempting to pass javascript through the db parameter to csvinfo.sh.
Beyond the CVE's, we wanted to try to remove a large number of sprintf uses (especially in the web and lib code) to help potentially reduce future issues.
Regards, -jc
On Wed, Jul 24, 2019 at 06:46:51PM -0700, Japheth Cleaver wrote:
CSIRT may still have a write-up pending on these, but it is believed that the only impact are segfaults when passed in invalid/overflow input. This is typically a hostsvc being parsed and assigned to a PATH_MAX-sized variable via sprintf rather than snprintf.
In addition the Debian binaries of Xymon (not sure if this is also covered in the upstream build system or a Debian-specific change by relying on Debian's dpkg-buildflags infrastructure) are built with FORTIFY_SOURCE.
Cheers, Moritz
Hi Japheth,
On Tue, Jul 23, 2019 at 08:57:49AM -0700, Japheth Cleaver wrote:
The specific CVEs in question are: ? CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473, ^^^ ? CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486 ^^^
But in the information for Xymon packagers you wrote a slightly differing set of CVE-IDs:
The CVEs in question are: history.c (service overflows histlogfn) = CVE-2019-13451 reportlog.c (service overflows histlogfn) = CVE-2019-13452 csvinfo.c (srdb overflows dbfn) = CVE-2019-13273 ^^^ csvinfo.c (reflected XSS) = CVE-2019-13274 ^^^ acknowledge.c (htmlquoted(hostname) overflows msgline) = CVE-2019-13455 appfeed.c (htmlquoted(xymondreq) overflows errtxt) = CVE-2019-13484 history.c (hostname overflows selfurl) = CVE-2019-13485 svcstatus.c (htmlquoted(xymondreq) overflows errtxt) = CVE-2019-13486
Which ones are the correct ones? I used the latter ones in my changelog entry for the Debian package.
Kind regards, Axel-- PGP: 2FF9CD59612616B5 /~\ Plain Text Ribbon Campaign, http://arc.pasp.de/ Mail: abe at deuxchevaux.org \ / Say No to HTML in E-Mail and Usenet Mail+Jabber: abe at noone.org X https://axel.beckert.ch/ / \ I love long mails: https://email.is-not-s.ms/
On 7/25/2019 6:24 AM, Axel Beckert wrote:
Hi Japheth,
On Tue, Jul 23, 2019 at 08:57:49AM -0700, Japheth Cleaver wrote:
The specific CVEs in question are: ? CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473, ^^^ ? CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486 ^^^
But in the information for Xymon packagers you wrote a slightly differing set of CVE-IDs:
The CVEs in question are: history.c (service overflows histlogfn) = CVE-2019-13451 reportlog.c (service overflows histlogfn) = CVE-2019-13452 csvinfo.c (srdb overflows dbfn) = CVE-2019-13273 ^^^ csvinfo.c (reflected XSS) = CVE-2019-13274 ^^^ acknowledge.c (htmlquoted(hostname) overflows msgline) = CVE-2019-13455 appfeed.c (htmlquoted(xymondreq) overflows errtxt) = CVE-2019-13484 history.c (hostname overflows selfurl) = CVE-2019-13485 svcstatus.c (htmlquoted(xymondreq) overflows errtxt) = CVE-2019-13486 Which ones are the correct ones? I used the latter ones in my changelog entry for the Debian package.
Kind regards, Axel
Thanks, this is indeed a typo. The correct ones are CVE-2019-13*2*73 and CVE-2019-13*2*74, sent earlier, numerically the first in this set, both involving csvinfo.c (one for an overflow and one for the XSS).
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13273 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13274 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13274> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13273>
-jc
participants (6)
-
abe@debian.org
-
abe@deuxchevaux.org
-
cleaver@terabithia.org
-
jmm@inutil.org
-
rlhamil2@gmail.com
-
scarville@lereta.com