Bug 916947 (CVE-2013-1362)

Summary: CVE-2013-1362 Nagios NRPE: nagios metacharacter filtering omission
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apevec, bressers, cpelland, gmollett, jlieskov, jose.p.oliveira.oss, lemenkov, markmc, mmagr, ondrejj, peter.clark, rbryant, rhos-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20130221,reported=20130221,source=bugtraq,cvss2=7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P,epel-all/nrpe=affected,fedora-all/nrpe=affected,openstack-2.1/nrpe=affected,openstack-3/nrpe=affected,openstack-4/nrpe=affected,openstack-rdo/nrpe=affected,cwe=CWE-78
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-06 21:19:11 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 916949, 916950, 918302, 994768, 994770, 994771    
Bug Blocks: 958515    

Description Kurt Seifried 2013-03-01 04:57:49 EST
Rudolph Pereira (rudolph.pereira@occamsec.com) reports:

Summary:
---------------
CVE-ID: CVE-2013-1362
CVSS: Base Score 7.5
CVSS2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:UC/CDP:N/TD:N/CR:L/IR:L/AR:L
Vendor: Nagios
Affected Products: NRPE
Affected Platforms: All
Affected versions: < 2.14
Remote Exploitable: Yes
Local Exploitable: No
Patch Status Vendor released a patch (See Solution)
URL: http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability

Description
----------------
nrpe 2.13 has, in src/nrpc.c, line 52:

#define NASTY_METACHARS         "|`&><'\"\\[]{};"

This allows the passing of $() to plugins/scripts which, if run under
bash, will execute that shell command under a subprocess and pass the
output as a parameter to the called script. Using this, it is possible
to get called scripts, such as check_http, to execute arbitrary
commands under the uid that NRPE/nagios is running as (typically,
'nagios').

Solution
------------
Upgrade to NRPE 2.14 or later, available at
http://sourceforge.net/projects/nagios/files/nrpe-2.x/

External References:

http://seclists.org/bugtraq/2013/Feb/119
http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability
Comment 1 Kurt Seifried 2013-03-01 04:59:11 EST
Created nrpe tracking bugs for this issue

Affects: fedora-all [bug 916949]
Comment 2 Kurt Seifried 2013-03-01 04:59:49 EST
Created nrpe tracking bugs for this issue

Affects: epel-all [bug 916950]
Comment 4 Fedora Update System 2013-06-08 23:31:21 EDT
nrpe-2.14-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2013-06-11 04:59:09 EDT
nrpe-2.14-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-06-11 05:08:46 EDT
nrpe-2.14-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-06-16 14:33:08 EDT
nrpe-2.14-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-06-16 14:34:49 EDT
nrpe-2.14-3.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.