CVE-2014-2913
published 2014-05-07CVE-2014-2913: Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via…
PriorityP357high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
15.31%
96.4th percentile
Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nagios-nrpe | < nagios-nrpe 2.15-1 (bookworm) | nagios-nrpe 2.15-1 (bookworm) |
| nagios | remote_plugin_executor | <= 2.15 | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-95rp-rj38-x3rc: ** DISPUTED ** Incomplete blacklist vulnerability in nrpe
ghsa_unreviewed·2022-05-14
CVE-2014-2913 [HIGH] GHSA-95rp-rj38-x3rc: ** DISPUTED ** Incomplete blacklist vulnerability in nrpe
** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments.
OSV
CVE-2014-2913: Incomplete blacklist vulnerability in nrpe
osv·2014-05-07·CVSS 7.5
CVE-2014-2913 [HIGH] CVE-2014-2913: Incomplete blacklist vulnerability in nrpe
Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments
OSV
CVE-2014-2913: ** DISPUTED ** Incomplete blacklist vulnerability in nrpe
osv·2014-05-07·CVSS 7.5
CVE-2014-2913 [HIGH] CVE-2014-2913: ** DISPUTED ** Incomplete blacklist vulnerability in nrpe
** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments.
Red Hat
nrpe: remote command execution when command arguments are enabled
vendor_redhat·2014-04-17·CVSS 7.5
CVE-2014-2913 [HIGH] nrpe: remote command execution when command arguments are enabled
nrpe: remote command execution when command arguments are enabled
Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments
Package: nrpe (Red Hat OpenStack Platform 3) - Will not fix
Package: nrpe (Red Hat OpenStack Platform 4) - Will not fix
Debian
CVE-2014-2913: nagios-nrpe - Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (N...
vendor_debian·2014·CVSS 7.5
CVE-2014-2913 [HIGH] CVE-2014-2913: nagios-nrpe - Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (N...
Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments
Scope: local
bookworm: resolved (fixed in 2.15-1)
bullseye: resolved (fixed in 2.15-1)
forky: resolved (fixed in 2.15-1)
sid: resolved (fixed in 2.15-1)
trixie: resolved (fixed in 2.15-1)
No detection rules found.
Exploit-DB
NRPE 2.15 - Remote Code Execution
exploitdb·2014-08-29·CVSS 7.5
CVE-2014-2913 [HIGH] NRPE 2.15 - Remote Code Execution
NRPE 2.15 - Remote Code Execution
---
#!/usr/bin/python
#
#
# Exploit Title : NRPE
# http://www.abcompcons.com/files/nrpe_client.py
#
# pyOpenSSL Library required (http://pyopenssl.sourceforge.net/)
#
# [root@localhost ~]# pip-python install pyOpenSSL
#
# NRPE > 8) & 0x00FFFFFF) ^ self.tCRC32[nIndex]
self.nCRC32 = nCRC ^ 0xFFFFFFFF
#debug("DataPacket.calculate_crc32 = %d" % self.nCRC32)
def extract(self, sQuery):
"""Turn a string into the DataPacket attributes."""
#debug("DataPacket.extract(%d)" % len(sQuery))
tVals = struct.unpack("!hhLh" + str(len(sQuery) - 10) + "s", sQuery)
self.nPacketVersion = tVals[0]
self.nPacketType = tVals[1]
self.nCRC32 = tVals[2]
self.nResultCode = tVals[3]
self.sData = tVals[4]
m_nTimeout = 0
def alarm_handler(nSignum, oFrame):
"""Timeout catcher"""
raise
Exploit-DB
NRPE 2.15 - Remote Command Execution
exploitdb·2014-04-18
CVE-2014-2913 NRPE 2.15 - Remote Command Execution
NRPE 2.15 - Remote Command Execution
---
- Release date: 17.04.2014
- Discovered by: Dawid Golunski
- Severity: High
I. VULNERABILITY
NRPE - Nagios Remote Plugin Executor buffer)==TRUE){
syslog(LOG_ERR,"Error: Request contained illegal metachars!");
that prevents bash special characters like semicolon, pipe etc.
The code is also making sure that arguments do not contain bash command substitution
i.e. $(ps aux)
if(strstr(macro_argv[x],"$(")) {
syslog(LOG_ERR,"Error: Request contained a bash command substitution!");
return ERROR;
Despite these checks the code is vulnerable to command injection as bash shell allows
for multiple command execution if commands are separated by a new line.
None of the checks examines the arguments for an occurrence of a new line character: 0x0A
V. PRO
Bugzilla
CVE-2014-2913 nrpe: remote command execution when command arguments are enabled [fedora-all]
bugzilla·2014-04-22·CVSS 7.5
CVE-2014-2913 [HIGH] CVE-2014-2913 nrpe: remote command execution when command arguments are enabled [fedora-all]
CVE-2014-2913 nrpe: remote command execution when command arguments are enabled [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note:
Bugzilla
CVE-2014-2913 nrpe: remote command execution when command arguments are enabled
bugzilla·2014-04-22·CVSS 7.5
CVE-2014-2913 [HIGH] CVE-2014-2913 nrpe: remote command execution when command arguments are enabled
CVE-2014-2913 nrpe: remote command execution when command arguments are enabled
A remote, command execution flaw was discovered in Nagios NRPE when command arguments are enabled. A remote attacker could use this flaw to execute arbitrary commands. This issue affects versions 2.15 and older.
Command arguments are disabled by default ("dont_blame_nrpe=0" in "/etc/nagios/nrpe.cfg"), and the security risk of enabling them is documented.
Some discussion about the fix is available on the oss-security list: http://seclists.org/oss-sec/2014/q2/129
Discussion:
Created nrpe tracking bugs for this issue:
Affects: fedora-all [bug 1089879]
Affects: epel-all [bug 1089880]
---
nrpe-2.15-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it
Bugzilla
CVE-2014-2913 nrpe: remote command execution when command arguments are enabled [epel-all]
bugzilla·2014-04-22·CVSS 7.5
CVE-2014-2913 [HIGH] CVE-2014-2913 nrpe: remote command execution when command arguments are enabled [epel-all]
CVE-2014-2913 nrpe: remote command execution when command arguments are enabled [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please no
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166528.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-05/msg00011.htmlhttp://lists.opensuse.org/opensuse-updates/2014-05/msg00005.htmlhttp://lists.opensuse.org/opensuse-updates/2014-05/msg00014.htmlhttp://seclists.org/fulldisclosure/2014/Apr/240http://seclists.org/fulldisclosure/2014/Apr/242http://seclists.org/oss-sec/2014/q2/154http://seclists.org/oss-sec/2014/q2/155http://www.securityfocus.com/bid/66969http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166528.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-05/msg00011.htmlhttp://lists.opensuse.org/opensuse-updates/2014-05/msg00005.htmlhttp://lists.opensuse.org/opensuse-updates/2014-05/msg00014.htmlhttp://seclists.org/fulldisclosure/2014/Apr/240http://seclists.org/fulldisclosure/2014/Apr/242http://seclists.org/oss-sec/2014/q2/154http://seclists.org/oss-sec/2014/q2/155http://www.securityfocus.com/bid/66969
2014-05-07
Published