DescriptionMurray McAllister
2014-04-22 06:46:11 UTC
A remote, command execution flaw was discovered in Nagios NRPE when command arguments are enabled. A remote attacker could use this flaw to execute arbitrary commands. This issue affects versions 2.15 and older.
Command arguments are disabled by default ("dont_blame_nrpe=0" in "/etc/nagios/nrpe.cfg"), and the security risk of enabling them is documented.
Some discussion about the fix is available on the oss-security list: http://seclists.org/oss-sec/2014/q2/129
Comment 1Murray McAllister
2014-04-22 06:47:19 UTC
Created nrpe tracking bugs for this issue:
Affects: fedora-all [bug 1089879]
Affects: epel-all [bug 1089880]
Comment 4Fedora Update System
2014-05-16 03:02:55 UTC
nrpe-2.15-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
EPEL-5 remains vulnerable. I had a few systems compromised by this over the weekend. I rebuilt nrpe-2.15-2 on el5 to fix my systems, but an update should be pushed to prevent others from falling victim to attacks that are occurring in the wild.
Comment 6Fedora Update System
2014-11-19 15:56:59 UTC
nrpe-2.15-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7Fedora Update System
2014-12-07 04:35:59 UTC
nrpe-2.15-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
A remote, command execution flaw was discovered in Nagios NRPE when command arguments are enabled. A remote attacker could use this flaw to execute arbitrary commands. This issue affects versions 2.15 and older. Command arguments are disabled by default ("dont_blame_nrpe=0" in "/etc/nagios/nrpe.cfg"), and the security risk of enabling them is documented. Some discussion about the fix is available on the oss-security list: http://seclists.org/oss-sec/2014/q2/129