Control: retitle -1 xymon-client: Disable by default the ability of logfetch to execute arbitrary code fetched from the Xymon server Control: forwarded -1 https://lists.xymon.com/archive/2021-October/047749.html Control: tag -1 + upstream confirmed
Hi, Christoph Zechner wrote: > Package: xymon-client > Severity: critical > Tags: patch security > Justification: root security hole > X-Debbugs-Cc: zech...@vrvis.at, Debian Security Team > <t...@security.debian.org> > > The default for logfetch's options (found in /etc/xymon/xymonclient.cfg) is: > > LOGFETCHOPTS="" > > which enables it to execute arbitrary code [1]. Yes, I saw the discussion on that on the upstream mailing list[2]. As mentioned there by others, this is on purpose and only during a "pull" from the server, i.e. no remote code execution by arbitrary attackers. I updated the bug report title accordingly. [2] https://lists.xymon.com/archive/2021-October/thread.html#47749 Downside here is that Xymon doesn't use TLS and hence DNS spoofing attacks might be able to redirect the client's connection if hostnames instead of the recommended IPs are used in /etc/default/xymon-client. Otherwise attacking this would require first hijacking either the routing or a router inbetween for a MITM attack on this. > This can and should be > prevented by default by using > > LOGFETCHOPTS="--noexec" > > instead. Hrm. The Debian package for sure will switch that option if upstream does. I'm though currently a bit reluctant to apply this patch and deviate from upstream's defaults (even more) since the default settings with IP addresses are less prone to that attack as if the admin uses DNS names instead of the recommended use of IP addresses for the server. Tagging as "upstream" for now. JFTR: I use that feature in some places and I don't know how widely it is used by others. I though suspect it is indeed used rather rarely. The common use-case seems to be if the syslog server adds a date extension already upon file creation so that logrotate becomes unnecessary. AFAIK none of Debian's syslog servers does that by default, though. Myon: Any opinion on this? Regards, Axel -- ,''`. | Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
