Rudolph Pereira (rudolph.pereira) reports: Summary: --------------- CVE-ID: CVE-2013-1362 CVSS: Base Score 7.5 CVSS2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:UC/CDP:N/TD:N/CR:L/IR:L/AR:L Vendor: Nagios Affected Products: NRPE Affected Platforms: All Affected versions: < 2.14 Remote Exploitable: Yes Local Exploitable: No Patch Status Vendor released a patch (See Solution) URL: http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability Description ---------------- nrpe 2.13 has, in src/nrpc.c, line 52: #define NASTY_METACHARS "|`&><'\"\\[]{};" This allows the passing of $() to plugins/scripts which, if run under bash, will execute that shell command under a subprocess and pass the output as a parameter to the called script. Using this, it is possible to get called scripts, such as check_http, to execute arbitrary commands under the uid that NRPE/nagios is running as (typically, 'nagios'). Solution ------------ Upgrade to NRPE 2.14 or later, available at http://sourceforge.net/projects/nagios/files/nrpe-2.x/ External References: http://seclists.org/bugtraq/2013/Feb/119 http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability
Created nrpe tracking bugs for this issue Affects: fedora-all [bug 916949]
Created nrpe tracking bugs for this issue Affects: epel-all [bug 916950]
nrpe-2.14-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
nrpe-2.14-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
nrpe-2.14-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
nrpe-2.14-3.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
nrpe-2.14-3.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.