Vulnerability CVE-2014-2913


Published: 2014-05-07

Description:
** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments.

See advisories in our WLB2 database:
Topic
Author
Date
High
NRPE 2.15 Remote Command Execution
Claudio Viviani
29.08.2014

Type:

CWE-Other

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Opensuse -> Opensuse 
Novell -> Opensuse 
Nagios -> Remote plugin executor 

 References:
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166528.html
http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00011.html
http://lists.opensuse.org/opensuse-updates/2014-05/msg00005.html
http://lists.opensuse.org/opensuse-updates/2014-05/msg00014.html
http://seclists.org/fulldisclosure/2014/Apr/240
http://seclists.org/fulldisclosure/2014/Apr/242
http://seclists.org/oss-sec/2014/q2/154
http://seclists.org/oss-sec/2014/q2/155
http://www.securityfocus.com/bid/66969

Copyright 2024, cxsecurity.com

 

Back to Top