I installed NRPE agents followed by NagiosXI installation guide https://assets.nagios.com/downloads/nag ... _Agent.pdf and downloaded the agent from https://assets.nagios.com/downloads/nag ... ent.tar.gz.
I just received a vulnerability report from our security team on some of the servers with NRPE agents installed.
"The version of Nagios Remote Plugin Executor (NRPE) running on the remote host has command argument processing enabled and accepts the newline character. An unauthenticated, remote attacker can exploit this issue to execute arbitrary commands within the context of the vulnerable application by appending those commands via a newline character in the '-a' option to libexec/check_nrpe."
How can I address this?
Update/Upgrade NRPE
Re: Update/Upgrade NRPE
1.) With arguments disabled the 'vulnerability' is not exploitable (barring, of course, any 0-day attacks)
2.) Ideally you are only letting certain IP addresses query port 5666 so any attacks (short of an exploit on your firewall) would need to come from the Nagios machine. That being said, if you have arguments enabled then you will still face the possibility of malicious arguments.
3.) Disabling arguments will make NRPE more secure, but will increase the configuration time required. Security never simplifies anything, and NRPE is no exception. NCPA is only a bit more locked down (requiring an auth token), but the argument parsing is somewhat broken at the moment.
- The above points are actually from this thread, see reply from 'tmcdonald'
https://support.nagios.com/forum/viewto ... 1456514247
Certainly let us know if you have any other questions or concerns, thanks.
2.) Ideally you are only letting certain IP addresses query port 5666 so any attacks (short of an exploit on your firewall) would need to come from the Nagios machine. That being said, if you have arguments enabled then you will still face the possibility of malicious arguments.
3.) Disabling arguments will make NRPE more secure, but will increase the configuration time required. Security never simplifies anything, and NRPE is no exception. NCPA is only a bit more locked down (requiring an auth token), but the argument parsing is somewhat broken at the moment.
- The above points are actually from this thread, see reply from 'tmcdonald'
https://support.nagios.com/forum/viewto ... 1456514247
Certainly let us know if you have any other questions or concerns, thanks.
Be sure to check out the Knowledgebase for helpful articles and solutions!
Re: Update/Upgrade NRPE
I am sorry I was out for a while. But if I disable arguments of NRPE, does this mean I can not use command check_nrpe with arguments e.g. "-H hostname -t 30 -c check_cpu_stats -a '-w 90 -c 95' " any more? If so, what's the alternative command I can use? Most of our systems are configured to use check_nrpe with arguments. That'll be a huge change.
Re: Update/Upgrade NRPE
You're going to need to hard-code arguments for the commands on the remote machine's NRPE server (usually at /usr/local/nagios/etc/nrpe.cfg). In the case of check_cpu_stats, since that's a built-in NRPE command, it will also likely involve creating a separate NRPE/XI command definition (something like check_cpu_stats_safe maybe).w-bao wrote:what's the alternative command I can use? Most of our systems are configured to use check_nrpe with arguments. That'll be a huge change.
I understand the frustration definitely. However, by virtue of securing a system that system is going to become less flexible.
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/