Bug 916947 (CVE-2013-1362)

Summary: CVE-2013-1362 Nagios NRPE: nagios metacharacter filtering omission
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apevec, bressers, cpelland, gmollett, jlieskov, jose.p.oliveira.oss, lemenkov, markmc, mmagr, ondrejj, peter.clark, rbryant, rhos-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-07 02:19:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 916949, 916950, 918302, 994768, 994770, 994771    
Bug Blocks: 958515    

Description Kurt Seifried 2013-03-01 09:57:49 UTC 
Rudolph Pereira (rudolph.pereira) reports:

Summary:
---------------
CVE-ID: CVE-2013-1362
CVSS: Base Score 7.5
CVSS2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:UC/CDP:N/TD:N/CR:L/IR:L/AR:L
Vendor: Nagios
Affected Products: NRPE
Affected Platforms: All
Affected versions: < 2.14
Remote Exploitable: Yes
Local Exploitable: No
Patch Status Vendor released a patch (See Solution)
URL: http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability

Description
----------------
nrpe 2.13 has, in src/nrpc.c, line 52:

#define NASTY_METACHARS         "|`&><'\"\\[]{};"

This allows the passing of $() to plugins/scripts which, if run under
bash, will execute that shell command under a subprocess and pass the
output as a parameter to the called script. Using this, it is possible
to get called scripts, such as check_http, to execute arbitrary
commands under the uid that NRPE/nagios is running as (typically,
'nagios').

Solution
------------
Upgrade to NRPE 2.14 or later, available at
http://sourceforge.net/projects/nagios/files/nrpe-2.x/

External References:

http://seclists.org/bugtraq/2013/Feb/119
http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability
Comment 1 Kurt Seifried 2013-03-01 09:59:11 UTC 
Created nrpe tracking bugs for this issue

Affects: fedora-all [bug 916949]
Comment 2 Kurt Seifried 2013-03-01 09:59:49 UTC 
Created nrpe tracking bugs for this issue

Affects: epel-all [bug 916950]
Comment 4 Fedora Update System 2013-06-09 03:31:21 UTC 
nrpe-2.14-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2013-06-11 08:59:09 UTC 
nrpe-2.14-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-06-11 09:08:46 UTC 
nrpe-2.14-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-06-16 18:33:08 UTC 
nrpe-2.14-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-06-16 18:34:49 UTC 
nrpe-2.14-3.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.