CVE-2019-3698: 
Nagios vulnerability analysis and mitigation

CVE-2019-3698 is a UNIX Symbolic Link (Symlink) Following vulnerability discovered in the cronjob shipped with nagios software. The vulnerability affects SUSE Linux Enterprise Server 12 and other SUSE Linux distributions. The issue was disclosed on February 28, 2020 (NVD).

The vulnerability exists in the /etc/cron.weekly/nagios cronjob which allows the 'nagios' user to escalate privileges to 'root' by placing symlinks in /var/log/nagios/archives. The cronjob calls '/usr/bin/bzip2' on files in /var/log/nagios/archives/*.log, but since both /var/log/nagios and /var/log/nagios/archives are owned by 'nagios', the user can place malicious symlinks. The vulnerability is only exploitable when NAGIOS_COMPRESS_LOGFILES is set in /etc/sysconfig/nagios (SUSE Bugzilla).

The vulnerability could allow local attackers to cause denial of service (DoS), deduce existence of private files, potentially leak private files through race conditions, or corrupt any files in the system that end with *.log by manipulating symlinks. The most serious impact is the potential file leakage, though the race condition is difficult to exploit due to the weekly execution schedule of the cronjob (SUSE Bugzilla).

The issue was fixed by modifying the cronjob to run the bzip2 command in the nagios user context using setpriv instead of running as root. The fix was released through security updates for affected SUSE Linux distributions (OpenSUSE Security).