NRPE Agent Vulnerabilities

[IT-OPS-SYS]

Nagios NRPE/nsclient Agents are installed on all our servers and communicate over port 5666 to the Nagios servers.

we have 2 nagios servers version 5.6.5 and we are worried about the below vulnerabilities:

4.2.1. TLS/SSL Server Supports Anonymous Cipher Suites with no Key Authentication (ssl-anon-ciphers) 4.2.2. TLS/SSL Server Supports DES and IDEA Cipher Suites (ssl-des-ciphers)
4.2.3. TLS/SSL Server Supports Export Cipher Algorithms (ssl-export-ciphers)
4.2.5. TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32) (ssl-cve-2016-2183-sweet32)
4.2.6. TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566) (rc4-cve-2013-2566) 4.2.7. TLS/SSL Server is enabling the BEAST attack (ssl-cve-2011-3389-beast)
4.2.8. TLS/SSL Server is enabling the POODLE attack (sslv3-cve-2014-3566-poodle)
4.2.9. TLS/SSL Server Supports SSLv3 (sslv3-supported)
4.2.10. TLS Server Supports TLS version 1.0 (tlsv1_0-enabled)

could you please let me know the remediation of the above Vulnerability and when the fix will be implemented.

if the fix includes agent version upgrade then do let us know how can we upgrade the agents on all the server without any downtime.

[benjaminsmith]

Hello @IT-OPS-SYS,

You have the option to specify the usage of SSL/TLS and which ciphers are used in the nrpe configuration file (nrpe.cfg). The documentation is available at:

NRPE With SSL/TLS

[IT-OPS-SYS]

i can see the below in my nrpe.cfg:


# SSL/TLS OPTIONS
# These directives allow you to specify how to use SSL/TLS.

# SSL VERSION
# This can be any of: SSLv2 (only use SSLv2), SSLv2+ (use any version),
# SSLv3 (only use SSLv3), SSLv3+ (use SSLv3 or above), TLSv1 (only use
# TLSv1), TLSv1+ (use TLSv1 or above), TLSv1.1 (only use TLSv1.1),
# TLSv1.1+ (use TLSv1.1 or above), TLSv1.2 (only use TLSv1.2),
# TLSv1.2+ (use TLSv1.2 or above)
# If an "or above" version is used, the best will be negotiated. So if both
# ends are able to do TLSv1.2 and use specify SSLv2, you will get TLSv1.2.
# If you are using openssl 1.1.0 or above, the SSLv2 options are not available.

#ssl_version=SSLv2+

# SSL USE ADH
# This is for backward compatibility and is DEPRECATED. Set to 1 to enable
# ADH or 2 to require ADH. 1 is currently the default but will be changed
# in a later version.

#ssl_use_adh=1

# SSL CIPHER LIST
# This lists which ciphers can be used. For backward compatibility, this
# defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in this version but
# will be changed to something like the example below in a later version of NRPE.

#ssl_cipher_list=ALL:!MD5:@STRENGTH
#ssl_cipher_list=ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH

# SSL Certificate and Private Key Files

#ssl_cacert_file=/etc/ssl/servercerts/ca-cert.pem
#ssl_cert_file=/etc/ssl/servercerts/nagios-cert.pem
#ssl_privatekey_file=/etc/ssl/servercerts/nagios-key.pem

# SSL USE CLIENT CERTS


do we still need to worry about those vulnerabilities

[IT-OPS-SYS]

we are using NRPE v3.2.1

[benjaminsmith]

Hello @IT-OPS-SYS,

I would recommend you discuss the configuration with your security team as they may have specific requirements or policies.

Looking over the list, most of these can be resolved within the ssl/tls settings. By default, it's going to use TLSv2, and not SSL, 4.2.8, 4.2.9 and 4.2.10 are related to the use of SSL or TLSv1.

The other items can be mitigated by specifying with ciphers to use. By default, NRPE will not use the MD5.