CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
96.3%
Issue Overview:
DISPUTED Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as “expected behavior.” Also, this issue can only occur when the administrator enables the “dont_blame_nrpe” option in nrpe.conf despite the “HIGH security risk” warning within the comments.
Affected Packages:
nrpe
Issue Correction:
Run yum update nrpe to update your system.
New Packages:
i686:
nagios-plugins-nrpe-2.15-2.7.amzn1.i686
nrpe-debuginfo-2.15-2.7.amzn1.i686
nrpe-2.15-2.7.amzn1.i686
src:
nrpe-2.15-2.7.amzn1.src
x86_64:
nrpe-debuginfo-2.15-2.7.amzn1.x86_64
nrpe-2.15-2.7.amzn1.x86_64
nagios-plugins-nrpe-2.15-2.7.amzn1.x86_64
Red Hat: CVE-2014-2913
Mitre: CVE-2014-2913
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 1 | i686 | nagios-plugins-nrpe | < 2.15-2.7.amzn1 | nagios-plugins-nrpe-2.15-2.7.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | nrpe-debuginfo | < 2.15-2.7.amzn1 | nrpe-debuginfo-2.15-2.7.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | nrpe | < 2.15-2.7.amzn1 | nrpe-2.15-2.7.amzn1.i686.rpm |
Amazon Linux | 1 | x86_64 | nrpe-debuginfo | < 2.15-2.7.amzn1 | nrpe-debuginfo-2.15-2.7.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | nrpe | < 2.15-2.7.amzn1 | nrpe-2.15-2.7.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | nagios-plugins-nrpe | < 2.15-2.7.amzn1 | nagios-plugins-nrpe-2.15-2.7.amzn1.x86_64.rpm |