Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 459870 (CVE-2013-1362) - <net-analyzer/nrpe-2.14: nagios metacharacter filtering omission (CVE-2013-1362)
Summary: <net-analyzer/nrpe-2.14: nagios metacharacter filtering omission (CVE-2013-1362)
Status: RESOLVED FIXED
Alias: CVE-2013-1362
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-01 13:04 UTC by Agostino Sarubbo
Modified: 2014-08-31 11:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-03-01 13:04:52 UTC
From ${URL} :

Rudolph Pereira (rudolph.pereira@occamsec.com) reports:

Summary:
---------------
CVE-ID: CVE-2013-1362
CVSS: Base Score 7.5
CVSS2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:UC/CDP:N/TD:N/CR:L/IR:L/AR:L
Vendor: Nagios
Affected Products: NRPE
Affected Platforms: All
Affected versions: < 2.14
Remote Exploitable: Yes
Local Exploitable: No
Patch Status Vendor released a patch (See Solution)
URL: http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability

Description
----------------
nrpe 2.13 has, in src/nrpc.c, line 52:

#define NASTY_METACHARS         "|`&><'\"\\[]{};"

This allows the passing of $() to plugins/scripts which, if run under
bash, will execute that shell command under a subprocess and pass the
output as a parameter to the called script. Using this, it is possible
to get called scripts, such as check_http, to execute arbitrary
commands under the uid that NRPE/nagios is running as (typically,
'nagios').

Solution
------------
Upgrade to NRPE 2.14 or later, available at
http://sourceforge.net/projects/nagios/files/nrpe-2.x/

External references:
http://seclists.org/bugtraq/2013/Feb/119
http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-04 01:58:51 UTC
@sysadmin: may we proceed to stabilize =net-analyzer/nrpe-2.14 ?
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2013-03-04 06:35:50 UTC
Go for it.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-04 19:57:19 UTC
Arches, please test and mark stable:
=net-analyzer/nrpe-2.14
Target KEYWORDS: "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2013-03-05 16:45:27 UTC
amd64 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2013-03-05 18:31:08 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2013-03-09 11:10:30 UTC
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-03-09 11:28:44 UTC
ppc stable
Comment 8 Marko Weber Bürgermeister 2013-03-09 12:00:39 UTC
fails to compile here:

./../include/config.h:33:0: warning: "NRPE_LOG_FACILITY" redefined [enabled by default]
<command-line>:0:0: note: this is the location of the previous definition
./../include/config.h:75:0: warning: "SOCKET_SIZE_TYPE" redefined [enabled by default]
<command-line>:0:0: note: this is the location of the previous definition
./../include/config.h:76:0: warning: "GETGROUPS_T" redefined [enabled by default]
<command-line>:0:0: note: this is the location of the previous definition
./../include/config.h:77:0: warning: "RETSIGTYPE" redefined [enabled by default]
<command-line>:0:0: note: this is the location of the previous definition
make: *** [nrpe] Error 1
make: Leaving directory `/var/tmp/portage/net-analyzer/nrpe-2.14/work/nrpe-2.14/src'
 * ERROR: net-analyzer/nrpe-2.14 failed (compile phase):
 *   emake failed
 * 
 * If you need support, post the output of `emerge --info '=net-analyzer/nrpe-2.14'`,
 * the complete build log and the output of `emerge -pqv '=net-analyzer/nrpe-2.14'`.
 * The complete build log is located at '/var/tmp/portage/net-analyzer/nrpe-2.14/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/net-analyzer/nrpe-2.14/temp/environment'.
 * Working directory: '/var/tmp/portage/net-analyzer/nrpe-2.14/work/nrpe-2.14'
 * S: '/var/tmp/portage/net-analyzer/nrpe-2.14/work/nrpe-2.14'



# emerge --info
Portage 2.1.11.52 (default/linux/amd64/13.0, gcc-4.6.3, glibc-2.15-r3, 3.7.10_weber3.7.10 x86_64)
=================================================================
System uname: Linux-3.7.10_weber3.7.10-x86_64-Intel-R-_Core-TM-_i7-3770_CPU_@_3.40GHz-with-gentoo-2.1
KiB Mem:    16138360 total,  14608632 free
KiB Swap:    2047932 total,   2047932 free
Timestamp of tree: Sat, 09 Mar 2013 11:15:01 +0000
ld GNU ld (GNU Binutils) 2.22
app-shells/bash:          4.2_p37
dev-lang/python:          2.7.3-r2, 3.2.3
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.1-r1
sys-apps/openrc:          0.11.8
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.69
sys-devel/automake:       1.11.6
sys-devel/binutils:       2.22-r1
sys-devel/gcc:            4.6.3
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.6 (virtual/os-headers)
sys-libs/glibc:           2.15-r3
Repositories: gentoo
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=core2 -mtune=generic -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=core2 -mtune=generic -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="rsync://de-mirror.org/gentoo/ ftp://ftp.halifax.rwth-aachen.de/gentoo/ rsync://ftp.halifax.rwth-aachen.de/gentoo/"
LDFLAGS="-Wl,--as-needed"
MAKEOPTS="-j9"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync15.de.gentoo.org/gentoo-portage"
USE="acl amd64 berkdb bzip2 cli cracklib crypt cxx dri fortran gdbm gpm iconv mmx modules mudflap multilib ncurses nls nptl openmp pam pcre readline session sse sse2 ssl tcpd unicode zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif status unique_id usertrack vhost_alias speling" APACHE2_MPMS="prefork" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 9 Agostino Sarubbo gentoo-dev 2013-03-09 13:36:52 UTC
alpha stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-03-09 18:11:06 UTC
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-03-09 19:09:12 UTC
sparc stable
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2013-03-24 19:34:08 UTC
Added to existing request.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 02:33:35 UTC
CVE-2013-1362 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1362):
  Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In
  Executor (NRPE) before 2.14 might allow remote attackers to execute
  arbitrary shell commands via "$()" shell metacharacters, which are processed
  by bash.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 11:32:38 UTC
This issue was resolved and addressed in
 GLSA 201408-18 at http://security.gentoo.org/glsa/glsa-201408-18.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).