Recently, Tim Starling of the Wikimedia foundation reported an issue that could allow authenticated users to bypass the authorization in cmd.cgi and submit arbitrary commands to Nagios' command pipe.

The vulnerability can be proven like this:
A user without full privileges creates an off-site form to submit a comment to Nagios. In the custom webform, the comment_data field is altered to be a "textarea" rather than "text", so the user can put newlines in there (note that this can easily be done with browser addons too).

The evil user then creates the comment so that the textarea contains a newline, and lets the second line contain a completely different command. cmd.cgi only verifies that the user is allowed to submit the first command but sends the entire input to Nagios without checking it for newlines. Nagios reads its command-pipe line-by-line and has no way of picking up the username of the person that submitted the command, so it happily runs all the commands fed to it.

For Nagios 2, this wouldn't have been such a big deal. The evil user could stop Nagios entirely, which is ofcourse (very!) bad, but that's where it ends.

However, in Nagios 3, the ability to change checkcommands and their arguments was added. Authenticated users can exploit this vulnerability to cause the Nagios process to run arbitrary commands, such as emailing the Nagios configurations (with its accurate map of the network and whatever passwords are stored there) to themselves, or open up remote shell sessions originating from inside the firewall. Bad stuff indeed.

I wrote a couple of patches that completely fixes this. Those patches were included in Nagios 3.0.5 and op5 Monitor 4.0.1. All users are urged to upgrade as soon as possible.

This vulnerability has been assigned the candidate name CVE-2008-5027 by Steven M. Christey of Mitre. The CVE details are below.

======================================================
Name: CVE-2008-5027
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5027
Reference: MLIST:[nagios-devel] 20081107 Security fixes completed
Reference: URL:http://sourceforge.net/mailarchive/forum.php?thread_name=4914396D.5010009%40op5.se&forum_name=nagios-devel
Reference: MLIST:[oss-security] 20081106 CVE request: Nagios (two issues)
Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/06/2
Reference: MISC:http://www.nagios.org/development/history/nagios-3x.php
Reference: CONFIRM:http://www.op5.com/support/news/389-important-security-fix-available-for-op5-monitor
Reference: BID:32156
Reference: URL:http://www.securityfocus.com/bid/32156

The Nagios process in (1) Nagios before 3.0.5 and (2) op5 Monitor
before 4.0.1 allows remote authenticated users to bypass authorization
checks, and trigger execution of arbitrary programs by this process,
via an (a) custom form or a (b) browser addon.