Debian Bug report logs -
#745272
nagios-nrpe: CVE-2014-2913: Remote command execution
Reported by: Markus Manzke <debian@mare-system.de>
Date: Sun, 20 Apr 2014 06:30:01 UTC
Severity: critical
Tags: security
Fixed in version nagios-nrpe/2.15-1
Done: Alexander Wirt <formorer@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, debian@mare-system.de, debian@mare-system.de, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
:
Bug#745272
; Package nagios-nrpe-server
.
(Sun, 20 Apr 2014 06:30:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Manzke <debian@mare-system.de>
:
New Bug report received and forwarded. Copy sent to debian@mare-system.de, debian@mare-system.de, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
.
(Sun, 20 Apr 2014 06:30:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: nagios-nrpe-server
Severity: critical
Tags: security
NRPE fails to check input when a newline-character is issued
POC has been released and works on debian 7, no CVE assigned yet
http://seclists.org/fulldisclosure/2014/Apr/240
http://seclists.org/oss-sec/2014/q2/136
-- System Information:
Debian Release: 7.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages nagios-nrpe-server depends on:
ii adduser 3.113+nmu3
ii libc6 2.13-38+deb7u1
ii libssl1.0.0 1.0.1e-2+deb7u4
ii libwrap0 7.6.q-24
ii lsb-base 4.1+Debian8+deb7u1
Versions of packages nagios-nrpe-server recommends:
ii nagios-plugins 1.4.16-1
ii nagios-plugins-basic 1.4.16-1
nagios-nrpe-server suggests no packages.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
:
Bug#745272
; Package nagios-nrpe-server
.
(Sun, 20 Apr 2014 06:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Wirt <formorer@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
.
(Sun, 20 Apr 2014 06:39:05 GMT) (full text, mbox, link).
Message #10 received at 745272@bugs.debian.org (full text, mbox, reply):
On Sun, 20 Apr 2014, Markus Manzke wrote:
> Package: nagios-nrpe-server
> Severity: critical
> Tags: security
>
> NRPE fails to check input when a newline-character is issued
>
> POC has been released and works on debian 7, no CVE assigned yet
>
> http://seclists.org/fulldisclosure/2014/Apr/240
> http://seclists.org/oss-sec/2014/q2/136
There is a good reason we don't recommend using arguments...
Alex
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
:
Bug#745272
; Package nagios-nrpe-server
.
(Sun, 20 Apr 2014 06:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Manzke <mm@mare-system.de>
:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
.
(Sun, 20 Apr 2014 06:57:05 GMT) (full text, mbox, link).
Message #15 received at 745272@bugs.debian.org (full text, mbox, reply):
hi alex
> There is a good reason we don't recommend using arguments...
>
> Alex
yes, i know; thats why a similar bug is unfixed in squeeze
for a year or so now, although reported
regards,
markus
Changed Bug title to 'nagios-nrpe: CVE-2014-2913: Remote command execution' from 'NRPE - Nagios Remote Plugin Executor <= 2.15 Remote CommandExecution, POC released'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 22 Apr 2014 04:54:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
:
Bug#745272
; Package nagios-nrpe-server
.
(Thu, 24 Apr 2014 12:27:14 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Wirt <formorer@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
.
(Thu, 24 Apr 2014 12:27:14 GMT) (full text, mbox, link).
Message #22 received at 745272@bugs.debian.org (full text, mbox, reply):
On Sun, 20 Apr 2014, Markus Manzke wrote:
>
>
> hi alex
>
> >There is a good reason we don't recommend using arguments...
> >
> >Alex
>
> yes, i know; thats why a similar bug is unfixed in squeeze
> for a year or so now, although reported
just a followup:
http://seclists.org/oss-sec/2014/q2/155
upstream says that this is "expected behaviour".
If you ask me, we should just patch that "feature" out and ship nrpe without
macro expansion.
Alex
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
:
Bug#745272
; Package nagios-nrpe-server
.
(Wed, 30 Apr 2014 12:09:08 GMT) (full text, mbox, link).
Acknowledgement sent
to "Jan Lühr" <jan@jluehr.de>
:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
.
(Wed, 30 Apr 2014 12:09:08 GMT) (full text, mbox, link).
Message #27 received at 745272@bugs.debian.org (full text, mbox, reply):
Hello,
there some reports, that these issue is exploited by a bonnet.
Please consider pushing security updates.
Greetz, Jan
(German)
http://www.heise.de/ix/meldung/Botnetz-fuer-Altcoin-Mining-nutzt-Luecke-in-Nagios-Ueberwachung-aus-2180129.html
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
:
Bug#745272
; Package nagios-nrpe-server
.
(Wed, 30 Apr 2014 18:18:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Wirt <formorer@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
.
(Wed, 30 Apr 2014 18:18:10 GMT) (full text, mbox, link).
Message #32 received at 745272@bugs.debian.org (full text, mbox, reply):
On Wed, 30 Apr 2014, Jan Lühr wrote:
> Hello,
>
> there some reports, that these issue is exploited by a bonnet.
> Please consider pushing security updates.
As said this is considered a feature by upstream. And to be honest, people
that are so stupid to allow dont_blame_nrpe + allowed_hosts=0.0.0.0/0
deserved a heise news entry.
I won't have time in the next days to write a patch for this. And if I would
do such a patch it will remove dont_blame_nrpe at all for all time.
So if you are interested in getting this nonsense working, feel free to
provide a patch.
Alex
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
:
Bug#745272
; Package nagios-nrpe-server
.
(Wed, 30 Apr 2014 21:48:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Friedrich <michael.friedrich@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
.
(Wed, 30 Apr 2014 21:48:05 GMT) (full text, mbox, link).
Message #37 received at 745272@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 30.04.2014 20:15, Alexander Wirt wrote:
> On Wed, 30 Apr 2014, Jan Lühr wrote:
>
>> Hello,
>>
>> there some reports, that these issue is exploited by a bonnet.
>> Please consider pushing security updates.
> As said this is considered a feature by upstream. And to be honest, people
> that are so stupid to allow dont_blame_nrpe + allowed_hosts=0.0.0.0/0
> deserved a heise news entry.
>
> I won't have time in the next days to write a patch for this. And if I would
> do such a patch it will remove dont_blame_nrpe at all for all time.
>
> So if you are interested in getting this nonsense working, feel free to
> provide a patch.
Try the ones attached - it essentially breaks existing modified
configurations having that option set and will refuse to start the
daemon if not removed.
Therefore a changelog entry on upgrade would be reasonable imho.
Seems that nagios upstream will never provide a fix as they consider
nrpe "secure" and security holes as "feature"... (if you find the
sarcasm, it's free and does not require a do-it-yourself-license)
0001-Reject-dont_blame_nrpe-for-NRPE-daemon-CVE-2014-2913.patch - simply
disables dont_blame_nrpe and bails out if the option remains set in nrpe.cfg
or
0001-Wipe-dont_blame_nrpe-and-allow_bash_command_substitu.patch -
entirely remove all related CVE affected code. Did not change configure,
too many changes between the ancient autoconf 2.59 and 2.69 in testing.
--enable-command-args is therefore useless, but since it's binary
packages it doesn't hurt much for debian users here.
hth
Michael
--
DI (FH) Michael Friedrich
michael.friedrich@gmail.com || icinga open source monitoring
https://twitter.com/dnsmichi || lead core developer
dnsmichi@jabber.ccc.de || https://www.icinga.org/team
irc.freenode.net/icinga || dnsmichi
[0001-Wipe-dont_blame_nrpe-and-allow_bash_command_substitu.patch (text/x-patch, attachment)]
[0001-Reject-dont_blame_nrpe-for-NRPE-daemon-CVE-2014-2913.patch (text/x-patch, attachment)]
Added tag(s) pending.
Request was from Alexander Wirt <formorer@debian.org>
to control@bugs.debian.org
.
(Tue, 15 Jul 2014 15:21:04 GMT) (full text, mbox, link).
Reply sent
to Alexander Wirt <formorer@debian.org>
:
You have taken responsibility.
(Tue, 15 Jul 2014 16:51:13 GMT) (full text, mbox, link).
Notification sent
to Markus Manzke <debian@mare-system.de>
:
Bug acknowledged by developer.
(Tue, 15 Jul 2014 16:51:13 GMT) (full text, mbox, link).
Message #44 received at 745272-close@bugs.debian.org (full text, mbox, reply):
Source: nagios-nrpe
Source-Version: 2.15-1
We believe that the bug you reported is fixed in the latest version of
nagios-nrpe, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 745272@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexander Wirt <formorer@debian.org> (supplier of updated nagios-nrpe package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 15 Jul 2014 18:30:36 +0200
Source: nagios-nrpe
Binary: nagios-nrpe-server nagios-nrpe-plugin
Architecture: source amd64
Version: 2.15-1
Distribution: unstable
Urgency: high
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: Alexander Wirt <formorer@debian.org>
Description:
nagios-nrpe-plugin - Nagios Remote Plugin Executor Plugin
nagios-nrpe-server - Nagios Remote Plugin Executor Server
Closes: 679241 719636 745272 752243
Changes:
nagios-nrpe (2.15-1) unstable; urgency=high
.
* [f2cea9f] Imported Upstream version 2.15
* [023e909] Disable command-args in nrpe. (Closes: #745272)
* [6369220] Use restorecon to set SE Linux context on $PIDDIR
(Closes: #679241)
* [a484e7d] Switch order of nagios-plugins recommends to prefer -basic.
(Closes: #752243)
* [b1ef043] Don't recommend a core implementation for the plugin
* [16dbf01] Remove obsolete patch
* [694b804] Remove luk from uploaders. (Closes: #719636)
* [28d9004] Remove obsolete patch
* [86ea67e] 08_CVE-2013-1362.dpatch is now obsolete
* [74e3b07] Refresh patches
* [1258ab2] Reword NEWS entry
* [744eec6] configure is buggy: --disable- in fact enables a feautre.
* [eec54b6] Adjust README.Debian for the removal or argument processing
Checksums-Sha1:
b1890037bb6e567e6b753ff441b7d394639277c7 1963 nagios-nrpe_2.15-1.dsc
45f434758c547c0af516e8b3324717f8dcd100a3 419695 nagios-nrpe_2.15.orig.tar.gz
ce34111bdecb35d8ab7359663bc4ec6f5c12b8b0 11104 nagios-nrpe_2.15-1.diff.gz
5d094084674df9a8967d994c1cd1512effa22e7d 38898 nagios-nrpe-server_2.15-1_amd64.deb
d25931de5a00680a2e7725c0c0bf408fef641606 18930 nagios-nrpe-plugin_2.15-1_amd64.deb
Checksums-Sha256:
77e8ee3f3803e54bd13daf4673402f83d3f2343fe8058c1467870b3e541f2e02 1963 nagios-nrpe_2.15-1.dsc
66383b7d367de25ba031d37762d83e2b55de010c573009c6f58270b137131072 419695 nagios-nrpe_2.15.orig.tar.gz
50faba8bcfc5e1699442655fd8e4ccfd106cc13429df83adc709cfd089a0cce2 11104 nagios-nrpe_2.15-1.diff.gz
407ac5da4f10ea0b112d1316edfa889c4efe0f13841f87d8781ee747e0546f7f 38898 nagios-nrpe-server_2.15-1_amd64.deb
e6377c7abf6b81cd616c08c6330934bb3a4a2010a9badcb463698c897e201677 18930 nagios-nrpe-plugin_2.15-1_amd64.deb
Files:
cb0a638fea87f969217bf227cfcb6080 38898 net optional nagios-nrpe-server_2.15-1_amd64.deb
45d4b386123648044eab319054084761 18930 net optional nagios-nrpe-plugin_2.15-1_amd64.deb
963cdc0ab1fba46cf428990effe2d47e 1963 net optional nagios-nrpe_2.15-1.dsc
3921ddc598312983f604541784b35a50 419695 net optional nagios-nrpe_2.15.orig.tar.gz
3b04dabddc38e042fda4ea3c588b0b7f 11104 net optional nagios-nrpe_2.15-1.diff.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJTxVk5AAoJEB5F+Mqd4jsWJNsQAIEFDl7712A7liKepjJ9dWRQ
q6VeZuG1zDyWAUZ012LOMwRmaFFEEpqzCMORzPrGvbhrD0CsRlvZ0o89H8YcZzWb
wu5hEwzLSe4G8rEcqgNvPQW+MoQwtTTXdl9I2Hre3VC0zf9Zpv7N9RBa0nqlGkXv
o7xCdWxaEoX6M7zE7i/EEUXG7Sk1iNDO4zguwFbgetvVEg9S5Kkp7R2eytiCbKhG
VuvaYKW/FZdb0nARHbh4XhRR8IT/KVCsHff/EH84L/IKDEVVn5JdjmulygDLZLKc
ZyOvLMK8VvsGC50dRSuW+KGhqa0gIbQxFjW3ogBB/mtqHc4Z8ZKjElkpq3AJH+bz
ch0RydmGDovXC8naGaOSxC8liPz7V1n8HWMkYayjJHbPteAJz6V+yUKTHuAsUHaX
dLmmviVLqeDAzsPFuI/VDFTQINU7Gjh6psdQRX1GMoPEqucxuWs5rwmSMhwrc6UT
uf8v8OAJbVUzQrWPmRM7FamwDQfCDVMbm1lWGpIKP6pr6bDE32FPWUJWoMBXx2uT
AkhpIsoB9Qo57IdfpwsSJf/puKfWfsyzTKLwdT8EyuaxhwZ62yTi1o47zfgCzM0+
A6bB7DwLYZG1ur0i50gepNNeO6m65rOTcXa8KSJNrX1xj2l16FxqCqdNgP5i4EXs
j7I7Z1iZCN82/A/gkNML
=eH7G
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 26 Apr 2015 07:50:30 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:05:54 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.