CVE-2019-13485 – CVE-2019-13485 is a critical stack-based buffer... (How to Fix)

Q: What is the severity of CVE-2019-13485?

CVE-2019-13485 has a CVSS score of 9.8 (CRITICAL). CVE-2019-13485 is a critical stack-based buffer overflow vulnerability in Xymon's history viewer component. Attackers can exploit this by sending specially crafted requests with long hostname or service parameters, potentially leading to remote code execution. All Xymon installations through version 4.3.28 are affected.

📋 TL;DR

CVE-2019-13485 is a critical stack-based buffer overflow vulnerability in Xymon's history viewer component. Attackers can exploit this by sending specially crafted requests with long hostname or service parameters, potentially leading to remote code execution. All Xymon installations through version 4.3.28 are affected.

💻 Affected Systems

Products:

Xymon

Versions: Through 4.3.28

Operating Systems: All platforms running Xymon

Default Config Vulnerable: ⚠️ Yes

Notes: All Xymon installations with the history viewer component enabled are vulnerable. The vulnerability is in the web interface component.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Xymon by Xymon

View all CVEs affecting Xymon →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root privileges, allowing complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Service disruption, denial of service, or remote code execution with the privileges of the Xymon web process.

🟢

If Mitigated

Denial of service or limited impact if proper network segmentation and least privilege controls are implemented.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication, making internet-facing Xymon instances prime targets.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to network-based attacks from compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit with publicly available proof-of-concept code. No authentication is required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.3.29 and later

Vendor Advisory: https://lists.xymon.com/archive/2019-July/046570.html

Restart Required: Yes

Instructions:

1. Download Xymon 4.3.29 or later from the official repository. 2. Backup current configuration. 3. Stop Xymon services. 4. Install the updated version. 5. Restart Xymon services.

🔧 Temporary Workarounds

Disable history viewer

linux

Temporarily disable the vulnerable history viewer component to prevent exploitation.

# Edit Xymon configuration to remove or comment out history.cgi references
# Typically in /etc/xymon/hobbitserver.cfg or similar

Network access control

linux

Restrict network access to Xymon web interface using firewall rules.

iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate Xymon instances from untrusted networks
Deploy web application firewall (WAF) rules to block requests with excessively long hostname or service parameters

🔍 How to Verify

Check if Vulnerable:

Check Xymon version: grep 'XYMONVERSION' /etc/xymon/*.cfg or run 'xymon --version'. If version is 4.3.28 or earlier, the system is vulnerable.

Check Version:

grep 'XYMONVERSION' /etc/xymon/*.cfg 2>/dev/null || xymon --version 2>/dev/null || echo 'Check Xymon installation'

Verify Fix Applied:

Verify Xymon version is 4.3.29 or later using the same commands. Test the history viewer with normal parameters to ensure functionality.

📡 Detection & Monitoring

Log Indicators:

Unusually long hostname or service parameters in web logs
Multiple failed requests to history.cgi
Process crashes or abnormal termination of Xymon web components

Network Indicators:

HTTP requests with hostname parameters exceeding normal length (typically > 256 characters)
Traffic patterns showing exploitation attempts from scanning tools

SIEM Query:

source="xymon_access.log" AND (uri="*history.cgi*" AND (param_length>256 OR contains(param,"../")))

📊 Metadata

CVE ID: CVE-2019-13485

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: August 27, 2019

Last Updated: November 21, 2024

🔗 References

https://github.com/svn2github/xymon/blob/master/branches/4.3.28/web/history.c Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/08/msg00032.html Third Party Advisory
https://lists.xymon.com/archive/2019-July/046570.html Mailing List,Release Notes,Vendor Advisory
https://github.com/svn2github/xymon/blob/master/branches/4.3.28/web/history.c Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/08/msg00032.html Third Party Advisory
https://lists.xymon.com/archive/2019-July/046570.html Mailing List,Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-13485, you might also want to check these: