SB2017033103 - Multiple vulnerabilities in Nagios

Description

This security bulletin contains information about 2 vulnerabilities.

1) Use of hard-coded credentials (CVE-ID: CVE-2016-0726)

CWE-ID: CWE-798 - Use of Hard-coded Credentials

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials.

2) Cross-site scripting (CVE-ID: CVE-2016-6209)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Cross-site scripting (XSS) vulnerability in Nagios.

Remediation

Install update from vendor's website.

References

• https://bugzilla.redhat.com/show_bug.cgi?id=1295446
• http://seclists.org/fulldisclosure/2016/Jun/20
• https://bugzilla.redhat.com/show_bug.cgi?id=1346217