NRPE doesn't validate the name on TLS certificates

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
LinuxMonitoring
Posts: 3
Joined: Sun Jun 16, 2019 6:01 am

NRPE doesn't validate the name on TLS certificates

Post by LinuxMonitoring »

Hi Folks,

I've setup the latest versions of Nagios, check_nrpe and NRPEd on CentOS 7.

I want to use TLS certificates but I found that neither side of the NRPE connection appears to validate the name on the TLS certificate. So, a host running NRPEd will accept ANY certificate that it can validate using the trusted CA and likewise Nagios will accept ANY certificate that the CA has signed when it connects to the host.

So now anyone who has a cert signed by the CA that Nagios and the client trust can send queries to hosts, decrypt traffic and modify it. It would be like going to support.nagios.com and accepting the TLS connection even though the cert was for www.google.com or some other website.

The problem is even more serious if Nagios and NRPE use the bundle of CA root certificates because it means that ANYONE in the world who has a valid cert can have it accepted by Nagios/NRPE and do the man in the middle attack. Yes, I know you can configure the address of the Nagios server into NRPEd which would mitigate the problem but that doesn't stop someone performing a man-in-the-middle attack.

I would expect that the host name check is done both ways so (say) nagios.example.com would connect to host.example.com and they would both have certificates signed by a trusted CA. Now the host can check that the connection actually came from nagios.example.com and Nagios could check that the host it is connecting to really is host.example.com so the connection is properly secured.

I've looked at NSClient++ for our Windows hosts and it appears to have exactly the same problem.

Is there some setting that I have missed here that can be used to make it check the name on the certificate?
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: NRPE doesn't validate the name on TLS certificates

Post by scottwilkerson »

You can require specific client certificates.

See the "Implement NRPE Client Certificate" section here
https://support.nagios.com/kb/article.php?id=519
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
LinuxMonitoring
Posts: 3
Joined: Sun Jun 16, 2019 6:01 am

Re: NRPE doesn't validate the name on TLS certificates

Post by LinuxMonitoring »

Thanks for the quick reply!

Yes, I did get the certs and CA correctly installed at both ends and ssl_client_certs=2

The problem is that neither Nagios nor the client check the Common Name in the cert so it could be ANY system with a signed certificate from that CA that is connecting to NRPE.

If you have (say) host1, host2 managed by your Nagios server then you can logon to host2 and send an NRPE query to host1 and it will execute it because both host1 and host2 have valid TLS certs signed by the CA and NRPEd doesn't check for (say) CN=nagios.example.com to make sure it has come from a Nagios server - any valid cert will do as long as it's trusted by the CA. :o

Now if your PKI trusts the root CA bundle then there are millions of certificates trusted by the root CAs out there that can be used to authenticate with NRPE (or decrypt or modify your data).
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: NRPE doesn't validate the name on TLS certificates

Post by scottwilkerson »

Did you setup ssl_cacert_file= , ssl_cert_file= and ssl_privatekey_file= in the nrpe.cfg?

Doing so should only allow machines with this certificate installed to communicate with the NRPE agent.
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
LinuxMonitoring
Posts: 3
Joined: Sun Jun 16, 2019 6:01 am

Re: NRPE doesn't validate the name on TLS certificates

Post by LinuxMonitoring »

Yes, the CA, cert and key are all correctly configured. If I remove them then it stops working. Verbose logging shows that the certs are being validated against the CA.

The problem is that the Common Name on the cert is NOT checked, so ANY valid cert trusted by ssl_cacert_file is accepted and this is a huge security hole.

When Nagios connects to client1.example.com it needs to check that the name on the cert is client1.example.com so it knows it is communicating with the real server and not some other server or a man in the middle with a valid certificate from the CA.

Likewise when client1.example.com communicates with nagios.example.com it needs to check that the server at the other end of the connection has the correct cert for nagios.example.com otherwise it could be talking to anyone with a valid cert from the trusted CA.

It's like connecting to https://support.nagios.com/ and allowing the connection because the website presented a certificate from www.google.com which is trusted by the CA bundle on your browser.

It's vital that both sides of the connection check the name on the cert.
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: NRPE doesn't validate the name on TLS certificates

Post by scottwilkerson »

I see what you are saying the CN is not checked but this was by design when the SSL certificate implementation was added to NRPE.

The supporting documentation does not specify that the CN of the certificates are validated or are important ... compared to our SSL documentation for our other products that have a very clear paragraph about how the CN must be valid.

What you are looking for doesn't exist in the current NRPE and would be a feature request that could be made here if you like

https://github.com/NagiosEnterprises/nrpe/issues
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Locked