Main Vulnerability Database Vulnerabilities #VU36804

#VU36804 Link following in Nagios - CVE-2016-8641

Published: August 1, 2018 / Updated: August 9, 2020

Vulnerability identifier: #VU36804

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: CVE-2016-8641

CWE-ID: CWE-59

Exploitation vector: Local access

Exploit availability: Public exploit is available

Vulnerable software:
Nagios

Software vendor:
nagios.org

Description

The vulnerability allows a local authenticated user to execute arbitrary code.

A privilege escalation vulnerability was found in nagios 4.2.x that occurs in daemon-init.in when creating necessary files and insecurely changing the ownership afterwards. It's possible for the local attacker to create symbolic links before the files are to be created and possibly escalating the privileges with the ownership change.

Remediation

Install update from vendor's website.

External links

http://www.securityfocus.com/bid/95121
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8641
https://github.com/NagiosEnterprises/nagioscore/commit/f2ed227673d3b2da643eb5cad26b2d87674f28c1.patch
https://security.gentoo.org/glsa/201702-26
https://www.exploit-db.com/exploits/40774/

#VU36804 Link following in Nagios - CVE-2016-8641

Description

Remediation

External links

Please verify you're human