Login or Register to Ask a Question and Join Our Community


Security Advisories (RSS)

USN-698-2: Nagios3 vulnerabilities

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Cybersecurity Security Advisories (RSS) USN-698-2: Nagios3 vulnerabilities
# 1  
Old 12-22-2008
USN-698-2: Nagios3 vulnerabilities
Referenced CVEs:
CVE-2008-5027, CVE-2008-5028


Description:
=========================================================== Ubuntu Security Notice USN-698-2 December 22, 2008 nagios3 vulnerabilities CVE-2008-5027, CVE-2008-5028 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.10: nagios3 3.0.2-1ubuntu1.1 After a standard system upgrade you need to restart Nagios to effect the necessary changes. Details follow: It was discovered that Nagios was vulnerable to a Cross-site request forgery (CSRF) vulnerability. If an authenticated nagios user were tricked into clicking a link on a specially crafted web page, an attacker could trigger commands to be processed by Nagios and execute arbitrary programs. This update alters Nagios behaviour by disabling submission of CMD_CHANGE commands. (CVE-2008-5028) It was discovered that Nagios did not properly parse commands submitted using the web interface. An authenticated user could use a custom form or a browser addon to bypass security restrictions and submit unauthorized commands. (CVE-2008-5027)





More...
Login or Register to Ask a Question

Previous Thread | Next Thread
Login or Register to Ask a Question

LEARN ABOUT OPENSOLARIS

esp

ipsecesp(7P)							     Protocols							      ipsecesp(7P)

NAME

       ipsecesp, ESP - IPsec Encapsulating Security Payload

SYNOPSIS

       drv/ipsecesp

DESCRIPTION

       The  ipsecesp  module  provides	confidentiality, integrity, authentication, and partial sequence integrity (replay protection) to IP data-
       grams. The encapsulating security payload (ESP) encapsulates its data, enabling it to protect data that follows in the  datagram.  For  TCP
       packets,  ESP  encapsulates  the  TCP header and its data only.	If the packet is an IP in IP datagram, ESP protects the inner IP datagram.
       Per-socket policy allows "self-encapsulation" so ESP can encapsulate IP options when necessary. See ipsec(7P).

       Unlike the authentication header (AH), ESP allows multiple varieties of datagram protection. (Using a single datagram protection  form  can
       expose vulnerabilities.) For example, only ESP can be used to provide confidentiality. But protecting confidentiality alone exposes vulner-
       abilities in both replay attacks and cut-and-paste attacks. Similarly, if ESP protects only integrity and does not  fully  protect  against
       eavesdropping, it may provide weaker protection than AH. See ipsecah(7P).

   ESP Device
       ESP is implemented as a module that is auto-pushed on top of IP. Use the /dev/ipsecesp entry to tune ESP with ndd(1M).

   Algorithms
       ESPuses	encryption and authentication algorithms. Authentication algorithms include HMAC-MD5 and HMAC-SHA-1. Encryption algorithms include
       DES, Triple-DES, Blowfish and AES. Each authentication and encryption algorithm contain key size and key format properties. You can  obtain
       a  list of authentication and encryption algorithms and their properties by using the ipsecalgs(1M) command. You can also use the functions
       described in the getipsecalgbyname(3NSL) man page to retrieve the properties of algorithms. Because of export laws in  the  United  States,
       not all encryption algorithms are available outside of the United States.

   Security Considerations
       ESP without authentication exposes vulnerabilities to cut-and-paste cryptographic attacks as well as eavesdropping attacks. Like AH, ESP is
       vulnerable to eavesdropping when used without confidentiality.

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWcsr (32-bit)		   |
       |Interface Stability	     |Evolving			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       ipsecalgs(1M), ipsecconf(1M), ndd(1M), attributes(5), getipsecalgbyname(3NSL), ip(7P), ipsec(7P), ipsecah(7P)

       Kent, S. and Atkinson, R.RFC 2406, IP Encapsulating Security Payload (ESP), The Internet Society, 1998.

SunOS 5.11							    18 May 2003 						      ipsecesp(7P)