NRPE vulnerability

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
kolio
Posts: 1
Joined: Thu Oct 09, 2014 3:53 am

NRPE vulnerability

Post by kolio »

Hi,

There is a vulnerability discovered in April that is valid for nrpe <= 2.15 - http://seclists.org/fulldisclosure/2014/Apr/240 . But there is no release since 2013. Are there any plans to release soon a patch?

Best regards,
Nikolay
Top
tmcdonald
Posts: 9117
Joined: Mon Sep 23, 2013 8:40 am

Re: NRPE vulnerability

Post by tmcdonald »

That vulnerability only affects systems in which NRPE is specifically allowed to execute commands with arbitrary arguments by enabling the "dont_blame_nrpe" flag in the configs. If those are not enabled then the system will not be vulnerable. As for a fix to those systems that do have arbitrary commands allowed, I do not have a specific timeline. The solution for now is to hard-code the commands or use another of our agents like NCPA.
Former Nagios employee
Top
Locked

Return to “Open Source Nagios Projects”