Summary: --------------- CVE-ID: CVE-2013-1362CVSS: Base Score 7.5CVSS2 Vector: AV: N/AC: L/Au: N/C: P/I: P/A: P/E: u/RL: OF/RC: UC/CDP: N/TD: N/CR: L/IR: L/AR: LVendor: NagiosAffected Products: NRPEAffected Platforms: AllAffected versions: <2.14 Remote Exploitable: YesLocal Exploitable: NoPatch Status Vendor released a patch (See Solution) URL: http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability Description ---------------- nrpe 2.13 has, in src/nrpc. c, line 52: # define NASTY_METACHARS "| '&> <' \" \ [] {}; "This allows the passing of $ () to plugins/scripts which, if run underbash, will execute that shell command under a subprocess and pass theoutput as a parameter to the called script. using this, it is possibleto get called scripts, such as check_http, to execute arbitrarycommands under the uid that NRPE/nagios is running as (typically, 'nagios '). solution ------------ upgrade to NRPE 2.14 or later, available http://sourceforge.net/projects/nagios/files/nrpe-2.x/CVSS Base Score 7.5CVSS2 Vector AV: N/AC: L/Au: N/C: P/I: P/A: P/E: U/RL: OF/RC: UC/CDP: N/TD: N/CR: L/IR: L/AR: LVendor NagiosAffected Products NRPE (Configured with -- enable-command-args ). affected Platforms AllAffected versions <2.14 Remote Exploitable YesLocal Exploitable NoPatch Status Vendor released a patch (See Solution) Descriptionnrpe 2.13 has, in src/nrpc. c, line 52: # define NASTY_METACHARS "| '&> <' \" \ [] {}; "When NRPE is compiled with -- enable-command-args (the default for mostLinux distributions), the above code allows the passing of $ () to plugins/scripts which, if run under bash, will execute thatshell command under a subprocess and pass the output as a parameter tothe called script. using this, it is possible to get called scripts, such as check_http, to execute arbitrary commands under the uid thatNRPE/nagios is running as (typically, 'nagios '). solution Upgrade to NRPE 2.14 or later, available http://sourceforge.net/projects/nagios/files/nrpe-2.x/