nagios-nrpe: CVE-2014-2913: Remote command execution

Debian Bug report logs - #745272
nagios-nrpe: CVE-2014-2913: Remote command execution

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Markus Manzke <debian@mare-system.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: NRPE - Nagios Remote Plugin Executor <= 2.15 Remote CommandExecution, POC released

Date: Sun, 20 Apr 2014 08:27:19 +0200

Package: nagios-nrpe-server
Severity: critical
Tags: security

NRPE fails to check input when a newline-character is issued

POC has been released and works on debian 7, no CVE assigned yet

http://seclists.org/fulldisclosure/2014/Apr/240
http://seclists.org/oss-sec/2014/q2/136



-- System Information:
Debian Release: 7.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages nagios-nrpe-server depends on:
ii  adduser      3.113+nmu3
ii  libc6        2.13-38+deb7u1
ii  libssl1.0.0  1.0.1e-2+deb7u4
ii  libwrap0     7.6.q-24
ii  lsb-base     4.1+Debian8+deb7u1

Versions of packages nagios-nrpe-server recommends:
ii  nagios-plugins        1.4.16-1
ii  nagios-plugins-basic  1.4.16-1

nagios-nrpe-server suggests no packages.

Message #10 received at 745272@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Markus Manzke <debian@mare-system.de>, 745272@bugs.debian.org

Cc: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: [Pkg-nagios-devel] Bug#745272: NRPE - Nagios Remote Plugin Executor <= 2.15 Remote CommandExecution, POC released

Date: Sun, 20 Apr 2014 08:35:45 +0200

On Sun, 20 Apr 2014, Markus Manzke wrote:

> Package: nagios-nrpe-server
> Severity: critical
> Tags: security
> 
> NRPE fails to check input when a newline-character is issued
> 
> POC has been released and works on debian 7, no CVE assigned yet
> 
> http://seclists.org/fulldisclosure/2014/Apr/240
> http://seclists.org/oss-sec/2014/q2/136
There is a good reason we don't recommend using arguments...

Alex

Message #15 received at 745272@bugs.debian.org (full text, mbox, reply):

From: Markus Manzke <mm@mare-system.de>

To: Alexander Wirt <formorer@debian.org>

Cc: Markus Manzke <debian@mare-system.de>, 745272@bugs.debian.org, Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: [Pkg-nagios-devel] Bug#745272: NRPE - Nagios Remote Plugin Executor <= 2.15 Remote CommandExecution, POC released

Date: Sun, 20 Apr 2014 08:54:37 +0200

hi alex

> There is a good reason we don't recommend using arguments...
> 
> Alex

yes, i know; thats why a similar bug is unfixed in squeeze
for a year or so now, although reported


regards,


markus

Message #22 received at 745272@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Markus Manzke <mm@mare-system.de>, 745272@bugs.debian.org

Cc: Markus Manzke <debian@mare-system.de>

Subject: Re: [Pkg-nagios-devel] Bug#745272: Bug#745272: NRPE - Nagios Remote Plugin Executor <= 2.15 Remote CommandExecution, POC released

Date: Thu, 24 Apr 2014 14:22:43 +0200

On Sun, 20 Apr 2014, Markus Manzke wrote:

> 
> 
> hi alex
> 
> >There is a good reason we don't recommend using arguments...
> >
> >Alex
> 
> yes, i know; thats why a similar bug is unfixed in squeeze
> for a year or so now, although reported
just a followup:

http://seclists.org/oss-sec/2014/q2/155

upstream says that this is "expected behaviour".

If you ask me, we should just patch that "feature" out and ship nrpe without
macro expansion.

Alex

Message #27 received at 745272@bugs.debian.org (full text, mbox, reply):

From: "Jan Lühr" <jan@jluehr.de>

To: 745272@bugs.debian.org

Subject: Exploited by botnet

Date: Wed, 30 Apr 2014 13:29:10 +0200

Hello,

there some reports, that these issue is exploited by a bonnet.
Please consider pushing security updates.

Greetz, Jan


(German)
http://www.heise.de/ix/meldung/Botnetz-fuer-Altcoin-Mining-nutzt-Luecke-in-Nagios-Ueberwachung-aus-2180129.html

Message #32 received at 745272@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Jan Lühr <jan@jluehr.de>, 745272@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#745272: Exploited by botnet

Date: Wed, 30 Apr 2014 20:15:07 +0200

On Wed, 30 Apr 2014, Jan Lühr wrote:

> Hello,
> 
> there some reports, that these issue is exploited by a bonnet.
> Please consider pushing security updates.
As said this is considered a feature by upstream. And to be honest, people
that are so stupid to allow dont_blame_nrpe + allowed_hosts=0.0.0.0/0
deserved a heise news entry.

I won't have time in the next days to write a patch for this. And if I would
do such a patch it will remove dont_blame_nrpe at all for all time.

So if you are interested in getting this nonsense working, feel free to
provide a patch.

Alex

Message #37 received at 745272@bugs.debian.org (full text, mbox, reply):

From: Michael Friedrich <michael.friedrich@gmail.com>

To: Alexander Wirt <formorer@debian.org>, 745272@bugs.debian.org, Jan Lühr <jan@jluehr.de>

Subject: Re: [Pkg-nagios-devel] Bug#745272: Bug#745272: Exploited by botnet

Date: Wed, 30 Apr 2014 23:43:32 +0200

[Message part 1 (text/plain, inline)]

On 30.04.2014 20:15, Alexander Wirt wrote:
> On Wed, 30 Apr 2014, Jan Lühr wrote:
>
>> Hello,
>>
>> there some reports, that these issue is exploited by a bonnet.
>> Please consider pushing security updates.
> As said this is considered a feature by upstream. And to be honest, people
> that are so stupid to allow dont_blame_nrpe + allowed_hosts=0.0.0.0/0
> deserved a heise news entry.
>
> I won't have time in the next days to write a patch for this. And if I would
> do such a patch it will remove dont_blame_nrpe at all for all time.
>
> So if you are interested in getting this nonsense working, feel free to
> provide a patch.

Try the ones attached - it essentially breaks existing modified 
configurations having that option set and will refuse to start the 
daemon if not removed.
Therefore a changelog entry on upgrade would be reasonable imho.

Seems that nagios upstream will never provide a fix as they consider 
nrpe "secure" and security holes as "feature"... (if you find the 
sarcasm, it's free and does not require a do-it-yourself-license)

0001-Reject-dont_blame_nrpe-for-NRPE-daemon-CVE-2014-2913.patch - simply 
disables dont_blame_nrpe and bails out if the option remains set in nrpe.cfg

or

0001-Wipe-dont_blame_nrpe-and-allow_bash_command_substitu.patch - 
entirely remove all related CVE affected code. Did not change configure, 
too many changes between the ancient autoconf 2.59 and 2.69 in testing. 
--enable-command-args is therefore useless, but since it's binary 
packages it doesn't hurt much for debian users here.

hth
Michael



-- 
DI (FH) Michael Friedrich

michael.friedrich@gmail.com  || icinga open source monitoring
https://twitter.com/dnsmichi || lead core developer
dnsmichi@jabber.ccc.de       || https://www.icinga.org/team
irc.freenode.net/icinga      || dnsmichi

[0001-Wipe-dont_blame_nrpe-and-allow_bash_command_substitu.patch (text/x-patch, attachment)]

[0001-Reject-dont_blame_nrpe-for-NRPE-daemon-CVE-2014-2913.patch (text/x-patch, attachment)]

Message #44 received at 745272-close@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: 745272-close@bugs.debian.org

Subject: Bug#745272: fixed in nagios-nrpe 2.15-1

Date: Tue, 15 Jul 2014 16:49:21 +0000

Source: nagios-nrpe
Source-Version: 2.15-1

We believe that the bug you reported is fixed in the latest version of
nagios-nrpe, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 745272@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexander Wirt <formorer@debian.org> (supplier of updated nagios-nrpe package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 15 Jul 2014 18:30:36 +0200
Source: nagios-nrpe
Binary: nagios-nrpe-server nagios-nrpe-plugin
Architecture: source amd64
Version: 2.15-1
Distribution: unstable
Urgency: high
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: Alexander Wirt <formorer@debian.org>
Description:
 nagios-nrpe-plugin - Nagios Remote Plugin Executor Plugin
 nagios-nrpe-server - Nagios Remote Plugin Executor Server
Closes: 679241 719636 745272 752243
Changes:
 nagios-nrpe (2.15-1) unstable; urgency=high
 .
   * [f2cea9f] Imported Upstream version 2.15
   * [023e909] Disable command-args in nrpe. (Closes: #745272)
   * [6369220] Use restorecon to set SE Linux context on $PIDDIR
     (Closes: #679241)
   * [a484e7d] Switch order of nagios-plugins recommends to prefer -basic.
     (Closes: #752243)
   * [b1ef043] Don't recommend a core implementation for the plugin
   * [16dbf01] Remove obsolete patch
   * [694b804] Remove luk from uploaders. (Closes: #719636)
   * [28d9004] Remove obsolete patch
   * [86ea67e] 08_CVE-2013-1362.dpatch is now obsolete
   * [74e3b07] Refresh patches
   * [1258ab2] Reword NEWS entry
   * [744eec6] configure is buggy: --disable- in fact enables a feautre.
   * [eec54b6] Adjust README.Debian for the removal or argument processing
Checksums-Sha1:
 b1890037bb6e567e6b753ff441b7d394639277c7 1963 nagios-nrpe_2.15-1.dsc
 45f434758c547c0af516e8b3324717f8dcd100a3 419695 nagios-nrpe_2.15.orig.tar.gz
 ce34111bdecb35d8ab7359663bc4ec6f5c12b8b0 11104 nagios-nrpe_2.15-1.diff.gz
 5d094084674df9a8967d994c1cd1512effa22e7d 38898 nagios-nrpe-server_2.15-1_amd64.deb
 d25931de5a00680a2e7725c0c0bf408fef641606 18930 nagios-nrpe-plugin_2.15-1_amd64.deb
Checksums-Sha256:
 77e8ee3f3803e54bd13daf4673402f83d3f2343fe8058c1467870b3e541f2e02 1963 nagios-nrpe_2.15-1.dsc
 66383b7d367de25ba031d37762d83e2b55de010c573009c6f58270b137131072 419695 nagios-nrpe_2.15.orig.tar.gz
 50faba8bcfc5e1699442655fd8e4ccfd106cc13429df83adc709cfd089a0cce2 11104 nagios-nrpe_2.15-1.diff.gz
 407ac5da4f10ea0b112d1316edfa889c4efe0f13841f87d8781ee747e0546f7f 38898 nagios-nrpe-server_2.15-1_amd64.deb
 e6377c7abf6b81cd616c08c6330934bb3a4a2010a9badcb463698c897e201677 18930 nagios-nrpe-plugin_2.15-1_amd64.deb
Files:
 cb0a638fea87f969217bf227cfcb6080 38898 net optional nagios-nrpe-server_2.15-1_amd64.deb
 45d4b386123648044eab319054084761 18930 net optional nagios-nrpe-plugin_2.15-1_amd64.deb
 963cdc0ab1fba46cf428990effe2d47e 1963 net optional nagios-nrpe_2.15-1.dsc
 3921ddc598312983f604541784b35a50 419695 net optional nagios-nrpe_2.15.orig.tar.gz
 3b04dabddc38e042fda4ea3c588b0b7f 11104 net optional nagios-nrpe_2.15-1.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTxVk5AAoJEB5F+Mqd4jsWJNsQAIEFDl7712A7liKepjJ9dWRQ
q6VeZuG1zDyWAUZ012LOMwRmaFFEEpqzCMORzPrGvbhrD0CsRlvZ0o89H8YcZzWb
wu5hEwzLSe4G8rEcqgNvPQW+MoQwtTTXdl9I2Hre3VC0zf9Zpv7N9RBa0nqlGkXv
o7xCdWxaEoX6M7zE7i/EEUXG7Sk1iNDO4zguwFbgetvVEg9S5Kkp7R2eytiCbKhG
VuvaYKW/FZdb0nARHbh4XhRR8IT/KVCsHff/EH84L/IKDEVVn5JdjmulygDLZLKc
ZyOvLMK8VvsGC50dRSuW+KGhqa0gIbQxFjW3ogBB/mtqHc4Z8ZKjElkpq3AJH+bz
ch0RydmGDovXC8naGaOSxC8liPz7V1n8HWMkYayjJHbPteAJz6V+yUKTHuAsUHaX
dLmmviVLqeDAzsPFuI/VDFTQINU7Gjh6psdQRX1GMoPEqucxuWs5rwmSMhwrc6UT
uf8v8OAJbVUzQrWPmRM7FamwDQfCDVMbm1lWGpIKP6pr6bDE32FPWUJWoMBXx2uT
AkhpIsoB9Qo57IdfpwsSJf/puKfWfsyzTKLwdT8EyuaxhwZ62yTi1o47zfgCzM0+
A6bB7DwLYZG1ur0i50gepNNeO6m65rOTcXa8KSJNrX1xj2l16FxqCqdNgP5i4EXs
j7I7Z1iZCN82/A/gkNML
=eH7G
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.