Root privilege escalation CVE-2017-14312

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
pepe_carlos
Posts: 43
Joined: Wed Aug 17, 2011 9:09 am
Location: Madrid, Spain

Root privilege escalation CVE-2017-14312

Post by pepe_carlos »

Hi,

I read this vulnerability https://github.com/NagiosEnterprises/na ... issues/424 and I have some doubts:

Is really a significant vulnerability?

In what cases could be exploded? I think that a simple user cannot change the configuration file (only the nagios user and group can changed it)

exist any workaround?

I would like to know too the offical planned date (estimated) to solved this vulnerabilty .

Thanks.
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Root privilege escalation CVE-2017-14312

Post by cdienger »

It isn't an immediate threat in most deployments as it does require nagios user or group permissions to create or modify the configs to exploit this. We are planning a fix for the 5.0 release of core but a time frame isn't available. A work around is covered in https://seclists.org/oss-sec/2017/q3/474
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Locked