Nagios NRPE 2.13 Code Execution

`Summary:  
---------------  
CVE-ID: CVE-2013-1362  
CVSS: Base Score 7.5  
CVSS2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:UC/CDP:N/TD:N/CR:L/IR:L/AR:L  
Vendor: Nagios  
Affected Products: NRPE  
Affected Platforms: All  
Affected versions: < 2.14  
Remote Exploitable: Yes  
Local Exploitable: No  
Patch Status Vendor released a patch (See Solution)  
URL: http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability  
  
Description  
----------------  
nrpe 2.13 has, in src/nrpc.c, line 52:  
  
#define NASTY_METACHARS "|`&><'\"\\[]{};"  
  
This allows the passing of $() to plugins/scripts which, if run under  
bash, will execute that shell command under a subprocess and pass the  
output as a parameter to the called script. Using this, it is possible  
to get called scripts, such as check_http, to execute arbitrary  
commands under the uid that NRPE/nagios is running as (typically,  
'nagios').  
  
Solution  
------------  
Upgrade to NRPE 2.14 or later, available at  
http://sourceforge.net/projects/nagios/files/nrpe-2.x/  
`