Restricted contacts can see servers that do not belong to them
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nagios3 (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Unassigned | ||
Yakkety |
Fix Released
|
Medium
|
Unassigned | ||
Zesty |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Impact]
* It is possible for users to see information about servers that they have not been given permission to see
* A fix should be backported because this is a security problem and causes Nagios to leak data
* The patch introduces the proper checks on hostgroup permissions as per Nagios 4.2.2
[Test Case]
* Configure Nagios to monitor multiple servers
* Create a second contact called "jbloggs" (in /etc/nagios/
* Create a second contact group called "oneserver" containing the second contact (in /etc/nagios/
* Set the contact_groups property for one of the servers to be "admins,oneserver"
* Add an entry to /etc/nagios3/
* Login to Nagios as "jbloggs"
* On the left hand nav, visit "Hostgroups", "Hostgroups -> Summary", and "Hostgroups -> Grid", and observe that the "jbloggs" user can view information about servers they don't have permission to see (full details including screenshots can be found on the Nagios forum link below)
[Regression Potential]
* It's possible that this may create other issues when viewing hostgroups in the Nagios web interface although I have not seen any such issues, and this fix was deemed to be acceptable by the Nagios core team in Nagios 4.2.2 (tracker link below) so I think the chances of any issues are very low.
[Other Info]
* This fix is the same fix that was applied upstream in Nagios 4.2.2, although as Ubuntu doesn't ship that version the fix never made it in
* This problem didn't exist under Precise as that ran Nagios 3.2.x so this was an upstream regression that happened after that version
[Original Description]
There is a problem with the hostgroups reports that allows restricted contacts to see servers that do not belong to them provided they are in the same hostgroup.
This issue was reported to the Nagios project in 2013 here (with screenshots, sample configs, etc): https:/
It was fixed in Nagios 4.2.2 here: https:/
This problem exists in Nagios 3.5.x that did not exist under 3.2.x, however it seems likely that the fix in 4.2.2 could be backported to Nagios 3.5.x.
lsb_release -rd output:
Description: Ubuntu 16.04.2 LTS
Release: 16.04
apt-cache policy nagios3 nagios3-cgi output:
nagios3:
Installed: 3.5.1.dfsg-
Candidate: 3.5.1.dfsg-
Version table:
*** 3.5.1.dfsg-
500 http://
500 http://
100 /var/lib/
3.
500 http://
nagios3-cgi:
Installed: 3.5.1.dfsg-
Candidate: 3.5.1.dfsg-
Version table:
*** 3.5.1.dfsg-
500 http://
500 http://
100 /var/lib/
3.
500 http://
CVE References
Changed in nagios3 (Ubuntu Zesty): | |
status: | Fix Committed → Fix Released |
Marked this as a security issue as the bug can cause Nagios to leak data to users who should not see it, if that's wasn't the right thing to do please feel free to revert that.