From ${URL} : Rudolph Pereira (rudolph.pereira@occamsec.com) reports: Summary: --------------- CVE-ID: CVE-2013-1362 CVSS: Base Score 7.5 CVSS2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:UC/CDP:N/TD:N/CR:L/IR:L/AR:L Vendor: Nagios Affected Products: NRPE Affected Platforms: All Affected versions: < 2.14 Remote Exploitable: Yes Local Exploitable: No Patch Status Vendor released a patch (See Solution) URL: http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability Description ---------------- nrpe 2.13 has, in src/nrpc.c, line 52: #define NASTY_METACHARS "|`&><'\"\\[]{};" This allows the passing of $() to plugins/scripts which, if run under bash, will execute that shell command under a subprocess and pass the output as a parameter to the called script. Using this, it is possible to get called scripts, such as check_http, to execute arbitrary commands under the uid that NRPE/nagios is running as (typically, 'nagios'). Solution ------------ Upgrade to NRPE 2.14 or later, available at http://sourceforge.net/projects/nagios/files/nrpe-2.x/ External references: http://seclists.org/bugtraq/2013/Feb/119 http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability
@sysadmin: may we proceed to stabilize =net-analyzer/nrpe-2.14 ?
Go for it.
Arches, please test and mark stable: =net-analyzer/nrpe-2.14 Target KEYWORDS: "alpha amd64 hppa ppc ppc64 sparc x86"
amd64 stable
Stable for HPPA.
ppc64 stable
ppc stable
fails to compile here: ./../include/config.h:33:0: warning: "NRPE_LOG_FACILITY" redefined [enabled by default] <command-line>:0:0: note: this is the location of the previous definition ./../include/config.h:75:0: warning: "SOCKET_SIZE_TYPE" redefined [enabled by default] <command-line>:0:0: note: this is the location of the previous definition ./../include/config.h:76:0: warning: "GETGROUPS_T" redefined [enabled by default] <command-line>:0:0: note: this is the location of the previous definition ./../include/config.h:77:0: warning: "RETSIGTYPE" redefined [enabled by default] <command-line>:0:0: note: this is the location of the previous definition make: *** [nrpe] Error 1 make: Leaving directory `/var/tmp/portage/net-analyzer/nrpe-2.14/work/nrpe-2.14/src' * ERROR: net-analyzer/nrpe-2.14 failed (compile phase): * emake failed * * If you need support, post the output of `emerge --info '=net-analyzer/nrpe-2.14'`, * the complete build log and the output of `emerge -pqv '=net-analyzer/nrpe-2.14'`. * The complete build log is located at '/var/tmp/portage/net-analyzer/nrpe-2.14/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/net-analyzer/nrpe-2.14/temp/environment'. * Working directory: '/var/tmp/portage/net-analyzer/nrpe-2.14/work/nrpe-2.14' * S: '/var/tmp/portage/net-analyzer/nrpe-2.14/work/nrpe-2.14' # emerge --info Portage 2.1.11.52 (default/linux/amd64/13.0, gcc-4.6.3, glibc-2.15-r3, 3.7.10_weber3.7.10 x86_64) ================================================================= System uname: Linux-3.7.10_weber3.7.10-x86_64-Intel-R-_Core-TM-_i7-3770_CPU_@_3.40GHz-with-gentoo-2.1 KiB Mem: 16138360 total, 14608632 free KiB Swap: 2047932 total, 2047932 free Timestamp of tree: Sat, 09 Mar 2013 11:15:01 +0000 ld GNU ld (GNU Binutils) 2.22 app-shells/bash: 4.2_p37 dev-lang/python: 2.7.3-r2, 3.2.3 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.69 sys-devel/automake: 1.11.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.6.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.6 (virtual/os-headers) sys-libs/glibc: 2.15-r3 Repositories: gentoo ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=core2 -mtune=generic -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=core2 -mtune=generic -O2 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="rsync://de-mirror.org/gentoo/ ftp://ftp.halifax.rwth-aachen.de/gentoo/ rsync://ftp.halifax.rwth-aachen.de/gentoo/" LDFLAGS="-Wl,--as-needed" MAKEOPTS="-j9" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync15.de.gentoo.org/gentoo-portage" USE="acl amd64 berkdb bzip2 cli cracklib crypt cxx dri fortran gdbm gpm iconv mmx modules mudflap multilib ncurses nls nptl openmp pam pcre readline session sse sse2 ssl tcpd unicode zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif status unique_id usertrack vhost_alias speling" APACHE2_MPMS="prefork" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
alpha stable
x86 stable
sparc stable
Added to existing request.
CVE-2013-1362 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1362): Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash.
This issue was resolved and addressed in GLSA 201408-18 at http://security.gentoo.org/glsa/glsa-201408-18.xml by GLSA coordinator Kristian Fiskerstrand (K_F).