Vulnerabilities > CVE-2006-2489 - Remote Content-Length Integer Overflow vulnerability in Nagios
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Integer overflow in CGI scripts in Nagios 1.x before 1.4.1 and 2.x before 2.3.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a content length (Content-Length) HTTP header. NOTE: this is a different vulnerability than CVE-2006-2162.
Vulnerable Configurations
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-287-1.NASL description The nagios CGI scripts did not sufficiently check the validity of the HTTP Content-Length attribute. By sending a specially crafted HTTP request with an invalidly large Content-Length value to the Nagios server, a remote attacker could exploit this to execute arbitrary code with web server privileges. Please note that the Apache 2 web server already checks for valid Content-Length values, so installations using Apache 2 (the only web server officially supported in Ubuntu) are not vulnerable to this flaw. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 21612 published 2006-05-29 reporter Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21612 title Ubuntu 5.04 / 5.10 : nagios vulnerability (USN-287-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-287-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(21612); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:33:00"); script_cve_id("CVE-2006-2489"); script_xref(name:"USN", value:"287-1"); script_name(english:"Ubuntu 5.04 / 5.10 : nagios vulnerability (USN-287-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The nagios CGI scripts did not sufficiently check the validity of the HTTP Content-Length attribute. By sending a specially crafted HTTP request with an invalidly large Content-Length value to the Nagios server, a remote attacker could exploit this to execute arbitrary code with web server privileges. Please note that the Apache 2 web server already checks for valid Content-Length values, so installations using Apache 2 (the only web server officially supported in Ubuntu) are not vulnerable to this flaw. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nagios-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nagios-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nagios-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nagios-text"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.10"); script_set_attribute(attribute:"patch_publication_date", value:"2006/05/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/05/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/05/16"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(5\.04|5\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 5.04 / 5.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"5.04", pkgname:"nagios-common", pkgver:"1.3-0+pre6ubuntu0.2")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"nagios-mysql", pkgver:"1.3-0+pre6ubuntu0.2")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"nagios-pgsql", pkgver:"1.3-0+pre6ubuntu0.2")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"nagios-text", pkgver:"1.3-0+pre6ubuntu0.2")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"nagios-common", pkgver:"1.3-cvs.20050402-4ubuntu3.2")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"nagios-mysql", pkgver:"1.3-cvs.20050402-4ubuntu3.2")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"nagios-pgsql", pkgver:"1.3-cvs.20050402-4ubuntu3.2")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"nagios-text", pkgver:"1.3-cvs.20050402-4ubuntu3.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nagios-common / nagios-mysql / nagios-pgsql / nagios-text"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200605-07.NASL description The remote host is affected by the vulnerability described in GLSA-200605-07 (Nagios: Buffer overflow) Sebastian Krahmer of the SuSE security team discovered a buffer overflow vulnerability in the handling of a negative HTTP Content-Length header. Impact : A buffer overflow in Nagios CGI scripts under certain web servers allows remote attackers to execute arbitrary code via a negative content length HTTP header. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 21349 published 2006-05-13 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21349 title GLSA-200605-07 : Nagios: Buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200605-07. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(21349); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:43"); script_cve_id("CVE-2006-2162", "CVE-2006-2489"); script_xref(name:"GLSA", value:"200605-07"); script_name(english:"GLSA-200605-07 : Nagios: Buffer overflow"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200605-07 (Nagios: Buffer overflow) Sebastian Krahmer of the SuSE security team discovered a buffer overflow vulnerability in the handling of a negative HTTP Content-Length header. Impact : A buffer overflow in Nagios CGI scripts under certain web servers allows remote attackers to execute arbitrary code via a negative content length HTTP header. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200605-07" ); script_set_attribute( attribute:"solution", value: "All Nagios users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-analyzer/nagios-core-1.4.1'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:nagios-core"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2006/05/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/05/13"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/05/08"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-analyzer/nagios-core", unaffected:make_list("ge 1.4.1"), vulnerable:make_list("lt 1.4.1"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Nagios"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1072.NASL description A buffer overflow has been discovered in nagios, a host, service and network monitoring and management system, that could be exploited by remote attackers to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 22614 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22614 title Debian DSA-1072-1 : nagios - buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1072. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22614); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2006-2162", "CVE-2006-2489"); script_bugtraq_id(17879); script_xref(name:"DSA", value:"1072"); script_name(english:"Debian DSA-1072-1 : nagios - buffer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A buffer overflow has been discovered in nagios, a host, service and network monitoring and management system, that could be exploited by remote attackers to execute arbitrary code." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=366682" ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=366683" ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=368193" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1072" ); script_set_attribute( attribute:"solution", value: "Upgrade the nagios package. The old stable distribution (woody) does not contain nagios packages. For the stable distribution (sarge) this problem has been fixed in version 1.3-cvs.20050402-2.sarge.2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nagios"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/05/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/05/08"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"nagios-common", reference:"1.3-cvs.20050402-2.sarge.2")) flag++; if (deb_check(release:"3.1", prefix:"nagios-mysql", reference:"1.3-cvs.20050402-2.sarge.2")) flag++; if (deb_check(release:"3.1", prefix:"nagios-pgsql", reference:"1.3-cvs.20050402-2.sarge.2")) flag++; if (deb_check(release:"3.1", prefix:"nagios-text", reference:"1.3-cvs.20050402-2.sarge.2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://secunia.com/advisories/20123
- http://secunia.com/advisories/20247
- http://secunia.com/advisories/20313
- http://www.debian.org/security/2006/dsa-1072
- http://www.gentoo.org/security/en/glsa/glsa-200605-07.xml
- http://www.nagios.org/development/changelog.php
- http://www.securityfocus.com/bid/18059
- http://www.vupen.com/english/advisories/2006/1822
- https://exchange.xforce.ibmcloud.com/vulnerabilities/26454
- https://usn.ubuntu.com/287-1/