Nagios NRPE nrpe.c Arbitrary Command Execution

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The monitoring service running on the remote host is affected by an
arbitrary command execution vulnerability.

Description :

The remote host is running a version of Nagios NRPE that contains a
flaw that is triggered when input passed via '$()' is not properly
sanitized before being used to execute plugins.

An unauthenticated, remote attacker could exploit this issue to
execute arbitrary commands within the context of the vulnerable
application.

See also :

http://www.nessus.org/u?f72b1d9b

Solution :

Upgrade to Nagios NRPE 2.14 or later.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.5
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 66361 ()

Bugtraq ID: 58142

CVE ID: CVE-2013-1362