cve-2024-39689 - Plugin 204790 -> Python Library Certifi Vulnerability!

[vsrigane]

Hi,

My team has Nagios Core 4.5.3 deployed on redhat 8 servers.
We are planning an upgrade to Nagios Core 4.5.8 so that we are on more current level of Nagios Core and also to address https://nvd.nist.gov/vuln/detail/cve-2024-39689.

Tenable scans detect the CVE : Plugin 204790 -> Python Library Certifi
A Python library installed on the remote host is affected by a root certificate vulnerability.

Description
The detected version of Certifi python package, certifi, is prior to version 2024.07.04. It is, therefore, it contains untrusted root certificates from GLOBALTRUST. An unauthenticated, remote attacker can exploit this to gain arbitrary permissions within the applicaiton.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Output from most recent scan
Path : /usr/lib/python2.7/site-packages/certifi-2021.10.8.dist-info
Installed version : 2021.10.8
Fixed version : 2024.07.04

In our initial upgrade testing, The CVE was still noted with Nagios Core 4.5.8.
Even though we read guidance that recommended Python only be upgraded with Nagios Core upgrade/distribution...we tested upgrade of Python to 3.x.
Nagios Core did not function normally after Python was upgraded. Python upgrade was backed out.

This CVE is high severity. We are being pressured to remediate ASAP.

Is the Nagios Core team aware of this CVE?
Is there a workaround possible to mitigate the issues?
Is there a target date for when a remediated version of Nagio Core will be available?

The Same Concern has been posted to -> https://github.com/NagiosEnterprises/na ... ssues/1011

Thank you in Advance!

Thanks,
Vishwa

[DoubleDoubleA]

Hi Vishwa,

Thanks for your question.

When you say "Nagios Core did not function normally after Python was upgraded" what actually happened? Specifically?

Nagios Core itself does not use any Python, though one or more of your plugins might.

Thanks,

Aaron

[vsrigane]

Hi Aaron,

All the libexec scripts/configurations, plugins that are packaged within the Nagios Core Installation "/usr/local/nagios" on our Red Hat Enterprise Linux Server (RHEL 8.10) points to /usr/bin/python -> which is a Python 2.7.18 version.

There is an associated site package "urllib" that goes with this version of Python which is being flagged as Non-Compliant based on our Tenable Nessus Scan results.

We tried removing that site-package and restarting nagios. But when that was done, all the hosts and services monitoring that we have configured all started to fail, not sure how urllib is associated with this.

We also tried pointing to the /usr/bin/python3 -> Which is a Python 3.6.8, for the libexec scripts to ensure the non compliant site package and the unsupported python version is not being referenced and we ran into the same issue, where all the probes still failed.

That is when, we had a question if Nagios Core Support Python 3.X, if yes, how can we ensure all the in-built or packaged scripts are all updated/referenced to leverage Python 3.X.

But if not, and nagios core only needs Python 2.X, how can we ensure urllib is not being referenced or used in any of its functionality.

I can re-produce the issue by removing urllib and attaching screenshot of the error from our development environment if needed.

Thanks,
Vishwa

[DoubleDoubleA]

Hi Vishwa,

Thanks for your reply.

Ultimately I think this is a systems administration/package administration issue, and not strictly a Nagios Core issue.

There are a lot of issues going on in the thread, and I will address as many as I can as well as I can in turn.

First, Nagios Core is a C application. Asking whether it works with Python 3 is a red herring. Even if it weren't a red herring question, we know Core works very well on EL 8&9 where Python 3 is default. Nagios Core does use plugins, and plugins can be written in Python. Most people who use Nagios Core also use a packaging of plugins called Nagios Plugins, and those are also mostly written in C, with three exceptions: heck_heartbleed, check_imap_login, and check_ncpa. Now, check_ncpa can do a lot for you but I would be very surprised if all your monitoring were through check_ncpa OR you would have to be using either your own or other 3rd-party plugins, all written in Python, for all of your monitoring, which again is possible but would be surprising. But even in that case, that would be an issue in your own plugins, and not plugins Nagios distributes.

Second, you say ALL of your checks are failing. The only way that could be is if all of your checks, including your host check, were python checks, and while that's not impossible, it would be an unusual way to configure Nagios. Most times the host check is a simple ping check, and that plugin is written in C, which shouldn't be affected. Are you using hyperbole when you say "all"?

Fourth, even if they were all done via check_ncpa, that specifically has Python 3 support.

Fifth, the initial issue report was with the certifi package, but as a remediation step you deleted urllib. Apparently there was also a security report on that. And I agree with your assessment that this should not break all of your monitoring, unless all of your monitoring is Python-based.

So where I am going with this is we have a lot of things that don't match up or make sense from my perspective.

When you say you "We also tried pointing to the /usr/bin/python3" how did you accomplish that?

Finally, what actual plugins are you running for your monitoring?

Thanks,

Aaron

[Lucasmit]

Hi,

My team has Nagios Core 4.5.3 deployed on redhat 8 servers.
We are planning an upgrade to Nagios Core 4.5.8 so that we are on more current level of Nagios Core and also to address https://nvd.nist.gov/vuln/detail/cve-2024-39689.

Tenable scans detect the CVE : Plugin 204790 -> Python Library Certifi
A Python library installed on the remote host is affected by a root certificate vulnerability.

Description
The detected version of Certifi python package, certifi, is prior to version 2024.07.04. It is, therefore, it contains untrusted root certificates from GLOBALTRUST. An unauthenticated, remote attacker can exploit this to gain arbitrary permissions within the applicaiton.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Output from most recent scan
Path : /usr/lib/python2.7/site-packages/certifi-2021.10.8.dist-info
Installed version : 2021.10.8
Fixed version : 2024.07.04

In our initial upgrade testing, The CVE was still noted with Nagios Core 4.5.8.
Even though we read guidance that recommended Python only be upgraded with Nagios Core upgrade/distribution...we tested upgrade of Python to 3.x.
Nagios Core did not function normally after Python was upgraded. Python upgrade was backed out.

This CVE is high severity. We are being pressured to remediate ASAP.

Is the Nagios Core team aware of this CVE?
Is there a workaround possible to mitigate the issues?
Is there a target date for when a remediated version of Nagio Core will be available?

The Same Concern has been posted to -> https://github.com/NagiosEnterprises/na ... ssues/1011Snow Road

Thank you in Advance!

Thanks,
Vishwa

Have you tested other solutions to fix CVE-2024-39689, such as changing configurations or using other versions of the Certifi library without upgrading Python?

[vsrigane]

Hi,

Yes, we have tested other configurations and updating versions of just the Certifi Library which won't work and changing configurations also leading to Nagios Core not functioning as expected.

Thanks,
Vishwa

[bbahn]

Hello @vsrigane,

What do you mean by "not functioning as expected"? What are the precise wordings of the errors coming back from the checks? These are crucial in finding out what is going wrong.

[selaopera]

Hi,

My team has Nagios Core 4.5.3 deployed on redhat 8 servers.
We are planning an upgrade to Nagios Core 4.5.8 so that we are on more current level of Nagios Core and also to address https://nvd.nist.gov/vuln/detail/cve-2024-39689.

Tenable scans detect the CVE : Plugin 204790 -> Python Library Certifi
A Python library installed on the remote host is affected by a root certificate vulnerability.

Description
The detected version of Certifi python package, certifi, is prior to version 2024.07.04. It is, therefore, it contains untrusted root certificates from GLOBALTRUST. An unauthenticated, remote attacker can exploit this to gain arbitrary permissions within the applicaiton.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Output from most recent scan
Path : /usr/lib/python2.7/site-packages/certifi-2021.10.8.dist-info
Installed version : 2021.10.8
Fixed version : 2024.07.04

In our initial upgrade testing, The CVE was still noted with Nagios Core 4.5.8.
Even though we read guidance that recommended Python only be upgraded with Nagios Core upgrade/distribution...we tested upgrade of Python to 3.x.
Nagios Core did not function normally after Python was upgraded. Python upgrade was backed out.

This CVE is high severity. We are being pressured to remediate ASAP.

Is the Nagios Core team aware of this CVE?
Is there a workaround possible to mitigate the issues?
Is there a target date for when a remediated version of Nagio Core will be available?

The Same Concern has been posted to -> Bitlife https://github.com/NagiosEnterprises/na ... ssues/1011

Thank you in Advance!

Thanks,
Vishwa

But Python 2.7 is end-of-life, and many libraries have stopped releasing updates for it. The fixed certifi version (2024.07.04) may not support Python 2.7, so this might not be possible.