Summary:
---------------
CVE-ID: CVE-2013-1362
CVSS: Base Score 7.5
CVSS2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:UC/CDP:N/TD:N/CR:L/IR:L/AR:L
Vendor: Nagios
Affected Products: NRPE
Affected Platforms: All
Affected versions: < 2.14
Remote Exploitable: Yes
Local Exploitable: No
Patch Status Vendor released a patch (See Solution)
URL: http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability
Description
----------------
nrpe 2.13 has, in src/nrpc.c, line 52:
#define NASTY_METACHARS "|`&><'\"\\[]{};"
This allows the passing of $() to plugins/scripts which, if run under
bash, will execute that shell command under a subprocess and pass the
output as a parameter to the called script. Using this, it is possible
to get called scripts, such as check_http, to execute arbitrary
commands under the uid that NRPE/nagios is running as (typically,
'nagios').
Solution
------------
Upgrade to NRPE 2.14 or later, available at
http://sourceforge.net/projects/nagios/files/nrpe-2.x/
CVSS Base Score 7.5 CVSS2 Vector AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:UC/CDP:N/TD:N/CR:L/IR:L/AR:L Vendor Nagios Affected Products NRPE (Configured with --enable-command-args). Affected Platforms All Affected versions < 2.14 Remote Exploitable Yes Local Exploitable No Patch Status Vendor released a patch (See Solution)
Description
nrpe 2.13 has, in src/nrpc.c, line 52:
#define NASTY_METACHARS "|`&><'\"\\[]{};"
When NRPE is compiled with --enable-command-args (the default for mostLinux distributions), the above code allows the passing of $() to plugins/scripts which, if run under bash, will execute thatshell command under a subprocess and pass the output as a parameter tothe called script. Using this, it is possible to get called scripts,such as check_http, to execute arbitrary commands under the uid thatNRPE/nagios is running as (typically, 'nagios').
Solution
Upgrade to NRPE 2.14 or later, available at http://sourceforge.net/projects/nagios/files/nrpe-2.x/
