Input validation error in nagios (Alpine package)

1) Input validation error

EUVDB-ID: #VU32581

Risk: Low

CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2013-7108

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote #AU# to #BASIC_IMPACT#.

Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read.

Mitigation

Install update from vendor's website.

Vulnerable software versions

nagios (Alpine package): 3.4.4-r0

CPE2.3

• cpe:2.3:a:alpine:nagios_alpine_package:3.4.4-r0:*:*:*:*:alpine_linux:*:2.4

External links

https://git.alpinelinux.org/aports/commit/?id=bc591804416645cfa8daae8a4d4ab036ba72a402
https://git.alpinelinux.org/aports/commit/?id=c9d8a6c05b5f9253252739560fe8d76468e826c0
https://git.alpinelinux.org/aports/commit/?id=ea378e00bf8b68874150bc606edc6818b9ff233f
https://git.alpinelinux.org/aports/commit/?id=0fc285b2ea702c82941928cdfa4e521addba1705

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.