Security bug introduced into nrpe.c when V3 code was added
Posted: Wed Feb 21, 2018 7:33 pm
When /usr/lib64/nagios/plugins/check_nrpe is run with an argument, if nrpe.cfg contains "dont_blame_nrpe=0", the request should fail and following two messages should be logged:
Error: Request contained command arguments, but argument option is not enabled!
Client request from was invalid, bailing out...
These messages are not being logged because when code was added to nrpe.c to handle V3 records, someone neglected to change the code that checks for arguments so it caters for a V2 record and also a V3 record. The code was not updated and only checks for a V2 record. When a V3 record is received by nrpe, the code checks for arguments in a area containing a V2 record! It should check in an area containing the received V3 record.
As a result, it is possible to run a check passing arguments with "dont_blame_nrpe=0".
This is a security bug that needs to be fixed asap.
Error: Request contained command arguments, but argument option is not enabled!
Client request from was invalid, bailing out...
These messages are not being logged because when code was added to nrpe.c to handle V3 records, someone neglected to change the code that checks for arguments so it caters for a V2 record and also a V3 record. The code was not updated and only checks for a V2 record. When a V3 record is received by nrpe, the code checks for arguments in a area containing a V2 record! It should check in an area containing the received V3 record.
As a result, it is possible to run a check passing arguments with "dont_blame_nrpe=0".
This is a security bug that needs to be fixed asap.