NRPE doesn't validate the name on TLS certificates
Posted: Mon Jun 17, 2019 8:25 am
Hi Folks,
I've setup the latest versions of Nagios, check_nrpe and NRPEd on CentOS 7.
I want to use TLS certificates but I found that neither side of the NRPE connection appears to validate the name on the TLS certificate. So, a host running NRPEd will accept ANY certificate that it can validate using the trusted CA and likewise Nagios will accept ANY certificate that the CA has signed when it connects to the host.
So now anyone who has a cert signed by the CA that Nagios and the client trust can send queries to hosts, decrypt traffic and modify it. It would be like going to support.nagios.com and accepting the TLS connection even though the cert was for www.google.com or some other website.
The problem is even more serious if Nagios and NRPE use the bundle of CA root certificates because it means that ANYONE in the world who has a valid cert can have it accepted by Nagios/NRPE and do the man in the middle attack. Yes, I know you can configure the address of the Nagios server into NRPEd which would mitigate the problem but that doesn't stop someone performing a man-in-the-middle attack.
I would expect that the host name check is done both ways so (say) nagios.example.com would connect to host.example.com and they would both have certificates signed by a trusted CA. Now the host can check that the connection actually came from nagios.example.com and Nagios could check that the host it is connecting to really is host.example.com so the connection is properly secured.
I've looked at NSClient++ for our Windows hosts and it appears to have exactly the same problem.
Is there some setting that I have missed here that can be used to make it check the name on the certificate?
I've setup the latest versions of Nagios, check_nrpe and NRPEd on CentOS 7.
I want to use TLS certificates but I found that neither side of the NRPE connection appears to validate the name on the TLS certificate. So, a host running NRPEd will accept ANY certificate that it can validate using the trusted CA and likewise Nagios will accept ANY certificate that the CA has signed when it connects to the host.
So now anyone who has a cert signed by the CA that Nagios and the client trust can send queries to hosts, decrypt traffic and modify it. It would be like going to support.nagios.com and accepting the TLS connection even though the cert was for www.google.com or some other website.
The problem is even more serious if Nagios and NRPE use the bundle of CA root certificates because it means that ANYONE in the world who has a valid cert can have it accepted by Nagios/NRPE and do the man in the middle attack. Yes, I know you can configure the address of the Nagios server into NRPEd which would mitigate the problem but that doesn't stop someone performing a man-in-the-middle attack.
I would expect that the host name check is done both ways so (say) nagios.example.com would connect to host.example.com and they would both have certificates signed by a trusted CA. Now the host can check that the connection actually came from nagios.example.com and Nagios could check that the host it is connecting to really is host.example.com so the connection is properly secured.
I've looked at NSClient++ for our Windows hosts and it appears to have exactly the same problem.
Is there some setting that I have missed here that can be used to make it check the name on the certificate?