Details of VAR-201308-0251

ID

VAR-201308-0251

CVE

CVE-2013-4114

TITLE

Nagstamon Information Disclosure Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2013-09764 // CNNVD: CNNVD-201307-260

DESCRIPTION

The automatic update request in Nagstamont before 0.9.10 uses a cleartext base64 format for transmission of a username and password, which allows remote attackers to obtain sensitive information by sniffing the network. Nagstamon is a Nagios status monitor. These sensitive information can be obtained by obtaining the plaintext BASE64 data in the HTTP BASIC verification header. A remote attacker can exploit the vulnerability to obtain such sensitive information, such as authentication credentials. Nagstamon is prone to an information-disclosure vulnerability. Versions prior to Nagstamon 0.9.10 are vulnerable. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201401-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Nagstamon: Information disclosure Date: January 06, 2014 Bugs: #476538 ID: 201401-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability in Nagstamon could expose user credentials to a remote attacker. Workaround ========== There is no known workaround at this time. Resolution ========== All Nagstamon users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=net-analyzer/nagstamon-0.9.11_rc1" References ========== [ 1 ] CVE-2013-4114 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4114 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201401-03.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Trust: 2.52

sources: NVD: CVE-2013-4114 // JVNDB: JVNDB-2013-003763 // CNVD: CNVD-2013-09764 // BID: 61120 // PACKETSTORM: 124672

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2013-09764

AFFECTED PRODUCTS

vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.5.4	Trust: 1.6
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.5.9	Trust: 1.6
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.5.5	Trust: 1.6
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.5.6	Trust: 1.6
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.5.11	Trust: 1.6
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.5.7	Trust: 1.6
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.5.8	Trust: 1.6
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.5.3	Trust: 1.6
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.5.2	Trust: 1.6
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.5.10	Trust: 1.6
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.8.2	Trust: 1.0
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.5.13	Trust: 1.0
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.9.5	Trust: 1.0
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.6.2	Trust: 1.0
vendor:	henri wahl	model:	nagstamon	scope:	lte	version:	0.9.9	Trust: 1.0
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.6	Trust: 1.0
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.9.7	Trust: 1.0
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.9.8	Trust: 1.0
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.6.1	Trust: 1.0
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.9.0	Trust: 1.0
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.9.3	Trust: 1.0
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.8.0	Trust: 1.0
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.9.7.1	Trust: 1.0
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.9.6	Trust: 1.0
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.7.0	Trust: 1.0
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.9.6.1	Trust: 1.0
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.9.4	Trust: 1.0
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.8.1	Trust: 1.0
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.9.1	Trust: 1.0
vendor:	henri wahl	model:	nagstamon	scope:	eq	version:	0.9.2	Trust: 1.0
vendor:	nagios enterprises	model:	nagstamont	scope:	lt	version:	0.9.10	Trust: 0.8
vendor:	nagstamon	model:	nagstamon	scope:	eq	version:	0.9.10	Trust: 0.6
vendor:	gentoo	model:	linux	scope:	-	version:	-	Trust: 0.3

sources: CNVD: CNVD-2013-09764 // BID: 61120 // JVNDB: JVNDB-2013-003763 // CNNVD: CNNVD-201307-260 // NVD: CVE-2013-4114

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-4114
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2013-4114
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2013-09764
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201307-260
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2013-4114
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2013-09764
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2013-09764 // JVNDB: JVNDB-2013-003763 // CNNVD: CNNVD-201307-260 // NVD: CVE-2013-4114

PROBLEMTYPE DATA

problemtype:	CWE-255	Trust: 1.0
problemtype:	CWE-200	Trust: 0.8

sources: JVNDB: JVNDB-2013-003763 // NVD: CVE-2013-4114

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 124672 // CNNVD: CNNVD-201307-260

TYPE

trust management

Trust: 0.6

sources: CNNVD: CNNVD-201307-260

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-003763

PATCH

title:	Bug 476538	url:	https://bugs.gentoo.org/show_bug.cgi?id=476538	Trust: 0.8
title:	Bug 983673	url:	https://bugzilla.redhat.com/show_bug.cgi?id=983673	Trust: 0.8
title:	2013-07-11: Update check security bug	url:	http://nagstamon.ifw-dresden.de/docs/security/	Trust: 0.8
title:	Nagstamon Information Disclosure Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/35186	Trust: 0.6

sources: CNVD: CNVD-2013-09764 // JVNDB: JVNDB-2013-003763

EXTERNAL IDS

db:	NVD	id:	CVE-2013-4114	Trust: 3.4
db:	OPENWALL	id:	OSS-SECURITY/2013/07/11/7	Trust: 1.6
db:	SECUNIA	id:	54276	Trust: 1.6
db:	SECUNIA	id:	54072	Trust: 1.6
db:	BID	id:	61120	Trust: 1.5
db:	JVNDB	id:	JVNDB-2013-003763	Trust: 0.8
db:	CNVD	id:	CNVD-2013-09764	Trust: 0.6
db:	MLIST	id:	[OSS-SECURITY] 20130711 RE: CVE REQUEST -- NAGSTAMON (PRIOR 0.9.10): MONITOR SERVER USER CREDENTIALS EXPOSURE IN AUTOMATED REQUESTS TO GET UPDATE INFORMATION	Trust: 0.6
db:	SUSE	id:	OPENSUSE-SU-2013:1235	Trust: 0.6
db:	CNNVD	id:	CNNVD-201307-260	Trust: 0.6
db:	PACKETSTORM	id:	124672	Trust: 0.1

sources: CNVD: CNVD-2013-09764 // BID: 61120 // JVNDB: JVNDB-2013-003763 // PACKETSTORM: 124672 // CNNVD: CNNVD-201307-260 // NVD: CVE-2013-4114

REFERENCES

url:	https://bugs.gentoo.org/show_bug.cgi?id=476538	Trust: 2.2
url:	https://bugzilla.redhat.com/show_bug.cgi?id=983673	Trust: 1.6
url:	http://www.openwall.com/lists/oss-security/2013/07/11/7	Trust: 1.6
url:	http://secunia.com/advisories/54276	Trust: 1.6
url:	http://secunia.com/advisories/54072	Trust: 1.6
url:	http://nagstamon.ifw-dresden.de/docs/security/	Trust: 1.6
url:	http://lists.opensuse.org/opensuse-updates/2013-07/msg00072.html	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4114	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-4114	Trust: 0.8
url:	http://www.securityfocus.com/bid/61120	Trust: 0.6
url:	http://creativecommons.org/licenses/by-sa/2.5	Trust: 0.1
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2013-4114	Trust: 0.1
url:	http://security.gentoo.org/glsa/glsa-201401-03.xml	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-4114	Trust: 0.1
url:	http://security.gentoo.org/	Trust: 0.1
url:	https://bugs.gentoo.org.	Trust: 0.1

sources: CNVD: CNVD-2013-09764 // JVNDB: JVNDB-2013-003763 // PACKETSTORM: 124672 // CNNVD: CNNVD-201307-260 // NVD: CVE-2013-4114

CREDITS

Reported by vendor.

Trust: 0.3

sources: BID: 61120

SOURCES

db:	CNVD	id:	CNVD-2013-09764
db:	BID	id:	61120
db:	JVNDB	id:	JVNDB-2013-003763
db:	PACKETSTORM	id:	124672
db:	CNNVD	id:	CNNVD-201307-260
db:	NVD	id:	CVE-2013-4114

LAST UPDATE DATE

2025-04-11T23:14:42.356000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2013-09764	date:	2013-07-18T00:00:00
db:	BID	id:	61120	date:	2015-04-16T17:50:00
db:	JVNDB	id:	JVNDB-2013-003763	date:	2013-08-19T00:00:00
db:	CNNVD	id:	CNNVD-201307-260	date:	2013-08-19T00:00:00
db:	NVD	id:	CVE-2013-4114	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2013-09764	date:	2013-07-18T00:00:00
db:	BID	id:	61120	date:	2013-07-11T00:00:00
db:	JVNDB	id:	JVNDB-2013-003763	date:	2013-08-19T00:00:00
db:	PACKETSTORM	id:	124672	date:	2014-01-06T23:19:25
db:	CNNVD	id:	CNNVD-201307-260	date:	2013-07-18T00:00:00
db:	NVD	id:	CVE-2013-4114	date:	2013-08-16T17:55:05.130