nagios cron job allows privilege escalation from user nagios to root
Description
Race condition in SUSE's nagios cron job allows local attackers with nagios user access to escalate privileges or cause DoS via symlink following.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Race condition in SUSE's nagios cron job allows local attackers with nagios user access to escalate privileges or cause DoS via symlink following.
Vulnerability
A UNIX Symbolic Link (Symlink) Following vulnerability exists in the cron job /etc/cron.weekly/nagios shipped with nagios packages in SUSE Linux Enterprise Server 12 (version 3.5.1-5.27 and prior), SUSE Linux Enterprise Server 11 (version 3.0.6-1.25.36.3.1 and prior), and openSUSE Factory (version 4.4.5-2.1 and prior) [1]. The cron job only activates when NAGIOS_COMPRESS_LOGFILES is set in /etc/sysconfig/nagios [1]. It executes /usr/bin/bzip2 on files matching /var/log/nagios/archives/*.log, but both the archives directory and its parent are owned by the nagios user, allowing creation of symlinks [1]. The bzip2 utility uses stat/lstat/open in a racy manner, enabling symlink following attacks [1].
Exploitation
A local attacker with nagios user privileges can place malicious symlinks or FIFOs in the /var/log/nagios/archives/ directory [1]. No authentication beyond the nagios user is required, as the cron job runs with root privileges but operates on files owned by nagios [1]. The attacker can win a race condition between bzip2's stat and open calls to replace the target file with a symlink [1]. The attacker can also place a FIFO to cause the cron job to hang indefinitely [1].
Impact
Successful exploitation can lead to denial of service by placing a FIFO that blocks bzip2 and thus the cron job [1]. More critically, an attacker can win the race to replace files with symlinks, potentially leaking sensitive information (e.g., compressing /root/.bash_history if group- or world-readable) or corrupting any .log file on the system by directing the archive directory symlink to another directory [1]. Privilege escalation to root is theoretically possible if the race is won to compress a private file and the compressed result is left in an accessible location [1].
Mitigation
A fix requires modifying the cron job to run commands in the nagios user context, e.g., via sudo, preventing the race condition [1]. No patched version is explicitly listed in the available references; users should monitor SUSE advisories for updates [1]. As a workaround, ensure NAGIOS_COMPRESS_LOGFILES is not set in /etc/sysconfig/nagios to keep the cron job inactive [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
26- osv-coords22 versionspkg:rpm/opensuse/nagios&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/nagios&distro=openSUSE%20Tumbleweedpkg:rpm/suse/grafana-ha-cluster-dashboards&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/grafana-ha-cluster-dashboards&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/grafana-sap-netweaver-dashboards&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/grafana-sap-netweaver-dashboards&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/grafana-sap-providers&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/grafana-sap-providers&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/hwdata&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/icinga&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/icinga&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/nagios&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/sysuser-tools&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/sysuser-tools&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/sysuser-tools&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/sysuser-tools&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/sysuser-tools&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/zeromq&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Advanced%20Systems%20Management%2012pkg:rpm/suse/zeromq&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/zeromq&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP5pkg:rpm/suse/zeromq&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/zeromq&distro=SUSE%20Manager%20Client%20Tools%2012-BETA
< 4.4.5-lp151.5.4.1+ 21 more
- (no CPE)range: < 4.4.5-lp151.5.4.1
- (no CPE)range: < 4.4.6-2.5
- (no CPE)range: < 1.1.0+git.1605027022.a84d536-1.10.1
- (no CPE)range: < 1.1.0+git.1605027022.a84d536-1.10.1
- (no CPE)range: < 1.0.3+git.1601889366.9f71957-1.10.1
- (no CPE)range: < 1.0.3+git.1601889366.9f71957-1.10.1
- (no CPE)range: < 1.1-1.7.1
- (no CPE)range: < 1.1-1.7.1
- (no CPE)range: < 0.314-10.14.1
- (no CPE)range: < 1.13.3-12.6.1
- (no CPE)range: < 1.13.3-12.8.1
- (no CPE)range: < 4.4.5-bp151.4.3.1
- (no CPE)range: < 2.0-1.9.1
- (no CPE)range: < 2.0-1.9.1
- (no CPE)range: < 2.0-1.9.1
- (no CPE)range: < 2.0-1.9.1
- (no CPE)range: < 2.0-1.9.1
- (no CPE)range: < 4.0.4-15.8.1
- (no CPE)range: < 4.0.4-15.8.1
- (no CPE)range: < 4.0.4-15.8.1
- (no CPE)range: < 4.0.4-15.8.1
- (no CPE)range: < 4.0.4-15.8.1
- openSUSE/Factoryv5Range: nagios
nagios+ 1 more
- (no CPE)range: nagios
- (no CPE)range: nagios
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The cron job for nagios does not properly drop privileges before executing commands, allowing a local user to potentially escalate privileges."
Attack vector
A local attacker can exploit this vulnerability by creating a symbolic link to a sensitive file that the nagios cron job will process. By winning a race condition, the attacker can cause the cron job to operate with elevated privileges, leading to potential privilege escalation or denial of service. The vulnerability lies in the way the cron job executes commands without sufficiently dropping privileges before processing files [ref_id=1].
Affected code
The vulnerability exists within the cron job script for nagios, specifically in how it handles file processing and command execution. The provided reference details a proposed patch that modifies this script to correctly determine and use the nagios user's privileges before executing commands like bzip2 [ref_id=1].
What the fix does
The proposed patch addresses the vulnerability by ensuring the cron job executes commands with the correct, dropped privileges. It achieves this by first attempting to determine the configured nagios user from the main configuration file and falling back to a default if necessary. The patch then uses `setpriv` to execute the bzip2 command with the appropriate real and effective user and group IDs, along with necessary capabilities, thus preventing privilege escalation [ref_id=1].
Preconditions
- authThe attacker must have local access to the affected system.
- inputThe attacker must be able to create symbolic links within the filesystem that the nagios cron job will access.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- lists.opensuse.org/opensuse-security-announce/2020-04/msg00014.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-04/msg00022.htmlmitrevendor-advisoryx_refsource_SUSE
- bugzilla.suse.com/show_bug.cgimitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.