2278.txt

This is the snapshot of Snot Latest Rules

Rule:

--
Sid:
2278

--
Summary:
This event is generated when an attempt is made to exploit a Denial of Service (DoS) condition in the Monit web server or on a server using Nagios.

--
Impact:
Serious. Remote code execution is possible as well as Denial of Service.

--
Detailed Information:
The Monit web server does not perform stringent checks on HTTP parameters prior to processing. This may allow a remote attacker to issue a DoS condition against a server running Monit.

The Nagios cgi interface does not properly handle a negative content length in the Content-Length header of an HTTP request. This may allow an attacker to execute code of their choosing on an affected host.

Note: The IP address of the Nagios server should be added to the HTTP_SERVERS variable in snort.conf for this rule to catch attempts to exploit this vulnerability. Alternatively, the rule can be duplicated in local.rules and the variables and sid assignment modified accordingly to monitor traffic going to the server running Nagios.

--
Affected Systems:
Monit 4.1 and prior
Nagios 2.2 and prior
Nagios 1.3 and prior

--
Attack Scenarios:
By supplying certain HTTP parameters to the Monit server a DoS condition may be executed.

--
Ease of Attack:
Simple. Exploit code exists but is not currently in the public domain.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Upgrade to the latest non-affected version of the software.

--
Contributors:
Sourcefire Vulnerability Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

--