Bugzilla – Bug 874743
VUL-0: CVE-2014-2913: nagios-nrpe: remote command execution when command arguments are enabled
Last modified: 2024-04-24 12:30:22 UTC
Via rh#1089878: A remote, command execution flaw was discovered in Nagios NRPE when command arguments are enabled. A remote attacker could use this flaw to execute arbitrary commands. This issue affects versions 2.15 and older. Command arguments are disabled by default ("dont_blame_nrpe=0" in "/etc/nagios/nrpe.cfg"), and the security risk of enabling them is documented. Some discussion about the fix is available on the oss-security list: http://seclists.org/oss-sec/2014/q2/129 Upstream fix: --- nrpe/src/nrpe.c +++ nrpe/src/nrpe.c @@ -42,7 +42,7 @@ int use_ssl=FALSE; #define DEFAULT_COMMAND_TIMEOUT 60 /* default timeout for execution of plugins */ #define MAXFD 64 -#define NASTY_METACHARS "|`&><'\"\\[]{};" +#define NASTY_METACHARS "|`&><'\"\\[]{};\n" char *command_name=NULL; char *macro_argv[MAX_COMMAND_ARGUMENTS]; CVE-2014-2913 was assigned to this issue. References: https://bugzilla.redhat.com/show_bug.cgi?id=1089878
The SWAMPID for this issue is 57094. This issue was rated as important. Please submit fixed packages until 2014-04-30. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Affected packages: SLE-11-SP3: nagios-nrpe SLE-11-SP1: nagios-nrpe
Affected openSUSE code streams: openSUSE:12.3 nrpe-2.14 openSUSE:13.1 nrpe-2.15
bugbot adjusting priority
Patched package submitted for SLE-11-SP1: nagios-nrpe. No source found for SLE-11-SP3: nagios-nrpe - can you please give me an advice where to find it ? Patches for openSUSE versions prepared, but as OBS is down at the moment, I'm unable to submit.
This is an autogenerated message for OBS integration: This bug (874743) was mentioned in https://build.opensuse.org/request/show/231369 13.1+12.3 / nrpe
The submission for SLE-11-SP1 should be sufficient also for SLE-11-SP3. So nothing to do for you. Assigning back to security.
openSUSE-SU-2014:0594-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 874743 CVE References: CVE-2014-2913 Sources used: openSUSE 13.1 (src): nrpe-2.15-4.1 openSUSE 12.3 (src): nrpe-2.14-3.4.1
openSUSE-SU-2014:0603-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 874743 CVE References: CVE-2014-2913 Sources used: openSUSE 11.4 (src): nagios-nrpe-2.12-29.1
released
Update released for: nagios-nrpe, nagios-nrpe-debuginfo, nagios-nrpe-debugsource, nagios-nrpe-doc, nagios-plugins-nrpe Products: SLE-DEBUGINFO 11-SP1-TERADATA (x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: nagios-nrpe, nagios-nrpe-debuginfo, nagios-nrpe-debugsource, nagios-nrpe-doc, nagios-plugins-nrpe Products: SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
SUSE-SU-2014:0682-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 874743 CVE References: CVE-2014-2913 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): nagios-nrpe-2.12-24.4.10.1 SUSE Linux Enterprise Server 11 SP3 (src): nagios-nrpe-2.12-24.4.10.1
SUSE-SU-2024:1417-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1118590, 874743 CVE References: CVE-2014-2913 Maintenance Incident: [SUSE:Maintenance:33416](https://smelt.suse.de/incident/33416/) Sources used: SUSE Linux Enterprise High Performance Computing 12 SP5 (src): nrpe-2.15-6.6.1 SUSE Linux Enterprise Server 12 SP5 (src): nrpe-2.15-6.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): nrpe-2.15-6.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.