Bug 1816813 (CVE-2020-6582)

Summary: CVE-2020-6582 nrpe: heap-based buffer overflow due to a wrong integer type conversion
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: b.heden, hvyas, jose.p.oliveira.oss, mhjacks, ondrejj, puebele, smooge, s, swilkerson, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nrpe 4.0.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nrpe. A heap-based buffer overflow is possible due to the interpretation of a small negative number as a large positive number during a bzero call. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-25 14:18:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1816814, 1816816    
Bug Blocks: 1816815    

Description Guilherme de Almeida Suckevicz 2020-03-24 19:18:13 UTC 
Nagios NRPE 3.2.1 has a Heap-Based Buffer Overflow, as demonstrated by interpretation of a small negative number as a large positive number during a bzero call.

Reference:
https://herolab.usd.de/security-advisories/usd-2020-0001/
Comment 1 Guilherme de Almeida Suckevicz 2020-03-24 19:19:00 UTC 
Created nrpe tracking bugs for this issue:

Affects: epel-all [bug 1816816]
Affects: fedora-all [bug 1816814]
Comment 2 Hardik Vyas 2020-03-25 14:18:18 UTC 
Statement:

Nagios is considered deprecated. Nagios plugins and Nagios server are no longer maintained or supported. Refer following release notes for details: "https://access.redhat.com/documentation/en-us/red_hat_gluster_storage/3.5/html-single/3.5_release_notes/index". The older version of nrpe which was shipped with Red Hat Gluster Storage does not support v3 packet format.
Comment 3 Hardik Vyas 2020-03-25 14:18:23 UTC 
External References:

https://herolab.usd.de/security-advisories/usd-2020-0001/
Comment 4 Hardik Vyas 2020-03-25 14:18:34 UTC 
Mitigation:

There is no known mitigation for this issue, the flaw can only be resolved by applying updates.