ADAPTIVE CHECK CHANGE_SVC_CHECK_COMMAND

[Andreas Ericsson]

On 01/14/2013 09:36 AM, Javier Garces Asensio wrote:
> Hello everybody
> 
> First, I don´t know if this is the most appropriate list to send this
> message because I’m not a developer but I’ve send it to the nagios-user list
> but I have not gotten any response,…
> 
> I would like to use the external command change_svc_check_command to change
> dinamically the warning and critical values of the checks.
> However it doesn´t work
> I think the cause that it doesn't work is the modification introduced in the
> version 3.0.6 (Disabled adaptive check and eventhandler commands for
> security reasons ) as you can see in the URL:
> 
> http://www.nagios.org/projects/nagiosco ... ry/core-3x
> <http://www.nagios.org/projects/nagioscore/history/core-3x>
> 
> I’m using the 3.2.1 version.
> In this version and also in the latest version 3.4.3, I can see the next
> source code in the base/commands.c file
> 
> /* SECURITY PATCH - disable these for the time being */
> switch(cmd) {
> case CMD_CHANGE_GLOBAL_HOST_EVENT_HANDLER:
> case CMD_CHANGE_GLOBAL_SVC_EVENT_HANDLER:
> case CMD_CHANGE_HOST_EVENT_HANDLER:
> case CMD_CHANGE_SVC_EVENT_HANDLER:
> case CMD_CHANGE_HOST_CHECK_COMMAND:
> case CMD_CHANGE_SVC_CHECK_COMMAND:
> return ERROR;
> }
> 
> I guess if I delete the above code, the external command
> change_svc_check_command will work
> 
> Is not recommended to enable this external command?
> Why was it disabled in the version 3.0.6? This is not resolved in the latest
> version?

Enabling it allows scheduled remote execution of commands due to a
combination of bugs in the Nagios CGI's that were present in early
versions of the 3.x series. The full fix includes hashing code and
in-form security tokens, but that part of the patch was dropped
(understandably, as it included quite a major change and still didn't
fully block the issue), so keeping the "CHANGE_" commands disabled
is the safest possible default.

By removing the above code (as you mentioned), things should work
out pretty well, but then you should take some other measures to
protect against cross-site request forgeries to prevent your
system being compromised.

I have to note that an attack is unlikely though, as the CHANGE_
commands aren't expected to work in Nagios anymore, so noone's
really targeting them.


> I haven´t found any official documentation about this
> 

There's plenty over at cve.mitre.org, but you'll have to dig that
up yourself. I handled the matter on behalf of Nagios Core, so a
search for my name, CVE and Nagios will most likely yield some info.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

Considering the successes of the wars on alcohol, poverty, drugs and
terror, I think we should give some serious thought to declaring war
on peace.

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122412
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel