NVD Vulnerability Detail

CVE-2014-2913

Summary	Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments
Publication Date	May 7, 2014, 7:55 p.m.
Registration Date	Jan. 26, 2021, 3:09 p.m.
Last Update	Nov. 21, 2024, 11:07 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:o:opensuse:opensuse:12.3:::::::*
cpe:2.3:o:opensuse:opensuse:11.4:::::::*
cpe:2.3:a:nagios:remote_plugin_executor::::::::		2.15
cpe:2.3:o:opensuse:opensuse:13.1:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166528.html
2	http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166528.html
3	http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00011.html
4	http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00011.html
5	http://lists.opensuse.org/opensuse-updates/2014-05/msg00005.html
6	http://lists.opensuse.org/opensuse-updates/2014-05/msg00005.html
7	http://lists.opensuse.org/opensuse-updates/2014-05/msg00014.html
8	http://lists.opensuse.org/opensuse-updates/2014-05/msg00014.html
9	http://seclists.org/fulldisclosure/2014/Apr/240	Exploit
10	http://seclists.org/fulldisclosure/2014/Apr/240	Exploit
11	http://seclists.org/fulldisclosure/2014/Apr/242	Exploit
12	http://seclists.org/fulldisclosure/2014/Apr/242	Exploit
13	http://seclists.org/oss-sec/2014/q2/154
14	http://seclists.org/oss-sec/2014/q2/154
15	http://seclists.org/oss-sec/2014/q2/155
16	http://seclists.org/oss-sec/2014/q2/155
17	http://www.securityfocus.com/bid/66969
18	http://www.securityfocus.com/bid/66969

Common Vulnerabilities List

JVN Vulnerability Information

Nagios Remote Plugin Executor の nrpe.c における任意のコマンドを実行される脆弱性

Title	Nagios Remote Plugin Executor の nrpe.c における任意のコマンドを実行される脆弱性
Summary	未確定本件は、脆弱性として確定していません。 Nagios Remote Plugin Executor (NRPE) の nrpe.c には、不完全なブラックリストにより、任意のコマンドを実行される脆弱性が存在します。なお、本問題には複数の関係者が異議を唱えています。ベンダは「予想される動作である」として改行を許容している、と報告されています。また、本問題は、管理者がコメント内の「高セキュリティリスク」の警告にも関わらず nrpe.conf で「dont_blame_nrpe」オプションを有効にした場合にのみ発生する可能性があります。補足情報 : CWE による脆弱性タイプは、CWE-184: Incomplete Blacklist (不完全なブラックリスト) と識別されています。 https://cwe.mitre.org/data/definitions/184.html
Possible impacts	リモートの攻撃者により、libexec/check_nrpe の -a オプション内の改行文字を介して、任意のコマンドを実行される可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	April 17, 2014, midnight
Registration Date	July 29, 2019, 12:41 p.m.
Last Update	July 29, 2019, 12:41 p.m.

Affected System

Novell

openSUSE

Nagios Enterprises, LLC

Nagios Remote Plug-In Executor 2.15 およびそれ以前

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2014-2913	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2913
National Vulnerability Database (NVD)
2	CVE-2014-2913	https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2913

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-Other	https://www.ipa.go.jp/security/vuln/CWE.html#CWEOther

ベンダー情報

No	Name	URL
Nagios
1	Top Page	https://www.nagios.org/
opensuse-security-announce
2	SUSE-SU-2014:0682-1	http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00011.html
opensuse-updates
3	openSUSE-SU-2014:0594-1	http://lists.opensuse.org/opensuse-updates/2014-05/msg00005.html
4	openSUSE-SU-2014:0603-1	http://lists.opensuse.org/opensuse-updates/2014-05/msg00014.html

その他

No	Name	URL
関連文書
1	NRPE - Nagios Remote Plugin Executor <= 2.15 Remote Command Execution	https://seclists.org/fulldisclosure/2014/Apr/240

Change Log

No	Changed Details	Date of change
1	[2019年07月29日] 掲載	July 29, 2019, 12:41 p.m.