Root privilege escalation CVE-2017-14312

An open discussion forum for obtaining help with Nagios Core. Nagios Core users of all experience levels are welcome here. Subforum have been created for the discussion of Nagios Core and Nagios Plugin development.

NOTE: The SourceForge.net mailing lists have been deprecated in favor of this forum in order to expedite support and provide additional features not available on the old mailing list.

Root privilege escalation CVE-2017-14312

Postby pepe_carlos » Fri Sep 14, 2018 3:57 am

Hi,

I read this vulnerability https://github.com/NagiosEnterprises/na ... issues/424 and I have some doubts:

Is really a significant vulnerability?

In what cases could be exploded? I think that a simple user cannot change the configuration file (only the nagios user and group can changed it)

exist any workaround?

I would like to know too the offical planned date (estimated) to solved this vulnerabilty .

Thanks.
pepe_carlos
 
Posts: 22
Joined: Wed Aug 17, 2011 9:09 am

Re: Root privilege escalation CVE-2017-14312

Postby cdienger » Fri Sep 14, 2018 3:35 pm

It isn't an immediate threat in most deployments as it does require nagios user or group permissions to create or modify the configs to exploit this. We are planning a fix for the 5.0 release of core but a time frame isn't available. A work around is covered in https://seclists.org/oss-sec/2017/q3/474
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
cdienger
Support Tech
 
Posts: 2089
Joined: Tue Feb 07, 2017 11:26 am


Return to Nagios Core

Who is online

Users browsing this forum: sampan1 and 38 guests