LNSA-#2004-0008: Multiple security problems in Monit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
************************************************************************************
Netwosix Linux Security Advisory #2004-0008 <http://www.netwosix.org>
-
-----------------------------------------------------------------------------------
Package name: monit
Summary: Multiple security problems in monit
Date: 2004-04-06
Affected versions: Netwosix 1.0
Netwosix 1.1
************************************************************************************
- -> Package description:
- ------------------------
monit is a utility for managing and monitoring, processes, files, directories
and devices on a Unix system. Monit conducts automatic maintenance and repair
and can execute meaningful causal actions in error situations. E.g. monit can
start a process if it does not run, restart a process if it does not respond
and stop a process if it uses to much resources. You may use monit to monitor
files, directories and devices for changes, such as timestamp changes,
checksum changes or size changes. You can also use monit to monitor remote
hosts; monit can ping a remote host and can check port connections and
protocols.
- -> Problem description:
- ------------------------
1. Monit HTTP Interface Buffer Overflow Vulnerability
=====================================================
Monit implements a simple HTTP interface that supports Basic
authentication. This interface suffers from a buffer overflow
vulnerability when handling a client that authenticates with malformed
credentials. An attacker could send a carefully crafted Authorization
header to the monit server and cause the server to either crash or
worse to execute arbitrary code with the privileges of the monit user.
2. Off-By-One Overflow in Monit HTTP Interface
==============================================
This buffer overflow lies in the handling of POST submissions with
entity bodies. If the request body has the exact length of X bytes,
monit will write one byte past its designated input buffer. This error
can cause the monit server to crash.
- -> Action:
- ------------------------
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
- -> Location:
- ---------------------
You can download the latest version of this package in NEPOTE format from:
<http://download.netwosix.org/0008/nepote>
- -> Nepote Update (Nepote has been updated with new ports on 21 March 2004.
Update your portage tree from http://nepote.netwosix.org, first):
- ---------------------
See this instructions to update the port of this package:
# cd /usr/ports/sysutils/monit
# rm nepote
# wget http://download.netwosix.org/0008/nepote
# sh nepote (to install the new and updated package)
- -> References
- ---------------------
Specific references for this advisory:
http://www.tildeslash.com/monit/secadv_20040305.txt
- -> About Linux Netwosix:
- ---------------------------------
Linux Netwosix is a powerful and optimized Linux distribution for servers
and Network Security related jobs. It can also be used for special operations
such as penetration testing with its big collection of security oriented
software and sources. It's a light distribution created for the requirements
of every SysAdmin and it's very portable and highly configurable. Our
philosophy is to give greater liberty for configuration to the SysAdmin.
Only in this way can he/she configure a powerful and stable server machine.
Linux Netwosix also has a powerful ports system (Nepote) similar to the xBSD
systems but more flexible and usable.
- -> Questions?
- ---------------------
Check out our mailing lists:
<http://www.netwosix.org/mailing.html>
The advisory itself is available at
<http://www.netwosix.org/adv08.html>
- --------------------------------------------------
MD5sums of the packages:
- - --------------------------------------------------------------------------
68e85a51998a53459a09d2aa0d5f905d 0008/nepote
- - --------------------------------------------------------------------------
Vincenzo Ciaglia - Linux Netwosix Security Advisories
<ciaglia@xxxxxxxxxxxx> - <http://www.netwosix.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAcvtD6jz9pGuz4koRAotTAJ901+SGV8c4A9AbgmdQCjAHHztJRQCgpHXd
ie9dqikx/rMg98mpl08fgWs=
=ugHE
-----END PGP SIGNATURE-----