npre vulnerability?

[pkarr]

Hi,
I've just had a security vulnerablility forwarded to me and wanted to get some clarification on this.
Is it version 2.14 of Nagios they refer to or 2.14 of NRPE?

We are currently using check_nrpe (v 2.12) with NSClient++ (v 0.3.9) on Windows servers, other system info follows
System:
Nagios XI Version : 2012R1.6
LkennagiosP01 2.6.32-358.2.1.el6.x86_64 x86_64
CentOS release 6.4 (Final)
Gnome is not installed

If it is an issue do you have a fix for it?

================================================
>>ID: CVE-2013-1362
>>Title: Nagios Remote Plugin Executor Arbitrary Command Execution
>>Vendor: nagios.org
>>Description: A remote exploitation of an input validation error vulnerability in versions prior to 2.14 of Nagios, as included in various vendors' operating system distributions, could allow attackers to >>execute arbitrary commands on the targeted host.
>>CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


thanks,
Penny Karr

[slansing]

This is an issue if you have compiled NRPE to allow for meta characters, this is not something enabled by default but is an option at compile, or in the configuration file "in your case, nsc/nsclient.ini."

NRPE does by definition remotely execute scripts, "Nagios Remote Plugin Executor."

[BanditBBS]

Also, if you are behind a firewall, you should only have people internal to your network able to try and "hack" NRPE.

[slansing]

This is true, options like this do carry some weight when you decide to use them, but in a clean, closed environment they "should" be safe.