Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:1417-1 advisory.

  - Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier     allows remote attackers to execute arbitrary commands via a newline character in the -a option to     libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor     allows newlines as expected behavior. Also, this issue can only occur when the administrator enables the     dont_blame_nrpe option in nrpe.conf despite the HIGH security risk warning within the comments     (CVE-2014-2913)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Use %configure macro as it deals with config.sub/guess and various flags properly ---- nrpe-2.15-6.el7 - Fix spec file for missing /usr/share/libtool/config/config.guess nrpe-2.15-6.el6 - Fix spec file for missing /usr/share/libtool/config/config.guess nrpe-2.15-6.fc23 - Fix spec file for missing /usr/share/libtool/config/config.guess nrpe-2.15-6.fc22 - Fix spec file for missing /usr/share/libtool/config/config.guess nrpe-2.15-6.fc21 - Fix spec file for missing /usr/share/libtool/config/config.guess

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Add patch to mitigate CVE-2014-2913

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as 'expected behavior.' Also, this issue can only occur when the administrator enables the 'dont_blame_nrpe' option in nrpe.conf despite the 'HIGH security risk' warning within the comments.

The remote host is affected by the vulnerability described in GLSA-201408-18 (NRPE: Multiple Vulnerabilities)

    Multiple vulnerabilities have been discovered in NRPE. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker can utilize multiple vectors to execute arbitrary       code.
  Workaround :

    There is no known workaround at this time.

This nrpe update fixes the following security documentation problem.

  - bnc#874743: Documented a possible command injection when     command arguments are enabled (CVE-2014-2913). More     details can be found inside the documentation of this     package.

nagios-nrpe has been updated to prevent possible remote command execution when command arguments are enabled. This issue affects versions 2.15 and older.

Further information is available at http://seclists.org/fulldisclosure/2014/Apr/240

These security issues have been fixed :

  - Remote command execution (CVE-2014-2913)

The version of Nagios Remote Plugin Executor (NRPE) running on the remote host has command argument processing enabled and accepts the newline character. An unauthenticated, remote attacker can exploit this issue to execute arbitrary commands within the context of the vulnerable application by appending those commands via a newline character in the '-a' option to libexec/check_nrpe.

ID	Name	Product	Family	Severity
193855	SUSE SLES12 Security Update : nrpe (SUSE-SU-2024:1417-1)	Nessus	SuSE Local Security Checks	critical
86042	Fedora 23 : nrpe-2.15-7.fc23 (2015-15398)	Nessus	Fedora Local Security Checks	high
79793	Fedora 19 : nrpe-2.15-2.fc19 (2014-5896)	Nessus	Fedora Local Security Checks	high
79346	Fedora 20 : nrpe-2.15-2.fc20 (2014-5897)	Nessus	Fedora Local Security Checks	high
78307	Amazon Linux AMI : nrpe (ALAS-2014-364)	Nessus	Amazon Linux Local Security Checks	high
77462	GLSA-201408-18 : NRPE: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	high
75345	openSUSE Security Update : nrpe (openSUSE-SU-2014:0594-1)	Nessus	SuSE Local Security Checks	high
74117	SuSE 11.3 Security Update : nagios-nrpe, nagios-nrpe-debuginfo, nagios-nrpe-debugsource, etc (SAT Patch Number 9204)	Nessus	SuSE Local Security Checks	high
74116	SuSE 11.3 Security Update : nagios-nrpe, nagios-nrpe-debuginfo, nagios-nrpe-debugsource, etc (SAT Patch Number 9204)	Nessus	SuSE Local Security Checks	high
73757	Nagios NRPE Command Argument Processing Enabled	Nessus	Misc.	high

Detections

Analytics

CVE-2014-2913

critical

Tenable Plugins

critical

high

high

high

high

high

high

high

high

high