Bug 13306 - nrpe new security issue CVE-2014-2913
Summary: nrpe new security issue CVE-2014-2913
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/597183/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-05-02 18:52 CEST by David Walser
Modified: 2014-05-15 00:20 CEST (History)
5 users (show)

See Also:
Source RPM: nrpe-2.15-2.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-05-02 18:52:23 CEST 
OpenSuSE has issued an advisory today (May 2):
http://lists.opensuse.org/opensuse-updates/2014-05/msg00014.html

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-05-02 18:52:45 CEST

CC: (none) => guillomovitch, luis.daniel.lucio
Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-05-12 23:25:34 CEST 
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Note that I used the patch indicated in the Novell bug that mitigates the issue:
https://bugzilla.novell.com/show_bug.cgi?id=874743

not the one used in the OpenSuSE updates that just documents the issue.

NRPE 2.16 will probably follow the documentation approach, it sounds like.

Advisory:
========================

Updated nrpe packages fix security vulnerability:

A remote, command execution flaw was discovered in Nagios NRPE when command
arguments are enabled. A remote attacker could use this flaw to execute
arbitrary commands (CVE-2014-2913).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2913
http://lists.opensuse.org/opensuse-updates/2014-05/msg00005.html
========================

Updated packages in core/updates_testing:
========================
nrpe-2.14-1.2.mga3
nagios-check_nrpe-2.14-1.2.mga3
nrpe-2.15-2.1.mga4
nagios-check_nrpe-2.15-2.1.mga4

from SRPMS:
nrpe-2.14-1.2.mga3.src.rpm
nrpe-2.15-2.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 claire robinson 2014-05-13 18:42:59 CEST 
Testing complete mga4 64

Some testing info in bug 9615 comment 6

# service nrpe start
Redirecting to /bin/systemctl start nrpe.service
        
# service nrpe status
Redirecting to /bin/systemctl status nrpe.service
nrpe.service - Nagios Remote Plugin Execution daemon
   Loaded: loaded (/usr/lib/systemd/system/nrpe.service; enabled)
   Active: active (running) since Tue 2014-05-13 17:37:04 BST; 28s ago
  Process: 11914 ExecStart=/usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d (code=exited, status=0/SUCCESS)
 Main PID: 11915 (nrpe)
   CGroup: /system.slice/nrpe.service
           ââ11915 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d
nrpe[11915]: Starting up daemon
nrpe[11915]: Server listening on 0.0.0.0 port 5666.
nrpe[11915]: Server listening on :: port 5666.
nrpe[11915]: Listening for connections on port 0
nrpe[11915]: Allowing connections from: 127.0.0.1
systemd[1]: Started Nagios Remote Plugin Execution daemon.

# netstat -pant | grep nrpe
tcp   0  0  0.0.0.0:5666  0.0.0.0:*  LISTEN   11915/nrpe          
tcp   0  0  :::5666       :::*       LISTEN   11915/nrpe  

# /usr/lib64/nagios/plugins/check_nrpe -H localhost
NRPE v2.15

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 3 David Remy 2014-05-14 02:51:04 CEST 
Testing complete mga4-32

# service nrpe start
Redirecting to /bin/systemctl start nrpe.service

# service nrpe status
Redirecting to /bin/systemctl status nrpe.service
nrpe.service - Nagios Remote Plugin Execution daemon
   Loaded: loaded (/usr/lib/systemd/system/nrpe.service; enabled)
   Active: active (running) since Tue 2014-05-13 18:43:32 MDT; 50s ago
  Process: 5977 ExecStart=/usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d (code=exited, status=0/SUCCESS)
 Main PID: 5978 (nrpe)
   CGroup: /system.slice/nrpe.service
           ââ5978 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d

nrpe[5978]: Starting up daemon
nrpe[5978]: Server listening on 0.0.0.0 port 5666.
nrpe[5978]: Server listening on :: port 5666.
nrpe[5978]: Listening for connections on port 0
nrpe[5978]: Allowing connections from: 127.0.0.1
systemd[1]: Started Nagios Remote Plugin Execution daemon.
systemd[1]: Started Nagios Remote Plugin Execution daemon.

# /usr/lib/nagios/plugins/check_nrpe -H localhost
NRPE v2.15

# uname -a
Linux localhost 3.12.18-server-1.mga4 #1 SMP Thu Apr 24 13:47:31 UTC 2014 i686 i686 i686 GNU/Linux

CC: (none) => dpremy
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok

Comment 4 claire robinson 2014-05-14 13:59:49 CEST 
Testing complete mga3 32 & 64

Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok

Comment 5 claire robinson 2014-05-14 14:02:46 CEST 
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2014-05-15 00:20:10 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0217.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.