On 30.04.2014 20:15, Alexander Wirt wrote:
On Wed, 30 Apr 2014, Jan Lühr wrote:
Hello,
there some reports, that these issue is exploited by a bonnet.
Please consider pushing security updates.
As said this is considered a feature by upstream. And to be honest, people
that are so stupid to allow dont_blame_nrpe + allowed_hosts=0.0.0.0/0
deserved a heise news entry.
I won't have time in the next days to write a patch for this. And if I would
do such a patch it will remove dont_blame_nrpe at all for all time.
So if you are interested in getting this nonsense working, feel free to
provide a patch.
Try the ones attached - it essentially breaks existing modified
configurations having that option set and will refuse to start the
daemon if not removed.
Therefore a changelog entry on upgrade would be reasonable imho.
Seems that nagios upstream will never provide a fix as they consider
nrpe "secure" and security holes as "feature"... (if you find the
sarcasm, it's free and does not require a do-it-yourself-license)
0001-Reject-dont_blame_nrpe-for-NRPE-daemon-CVE-2014-2913.patch - simply
disables dont_blame_nrpe and bails out if the option remains set in nrpe.cfg
or
0001-Wipe-dont_blame_nrpe-and-allow_bash_command_substitu.patch -
entirely remove all related CVE affected code. Did not change configure,
too many changes between the ancient autoconf 2.59 and 2.69 in testing.
--enable-command-args is therefore useless, but since it's binary
packages it doesn't hurt much for debian users here.
hth
Michael
--
DI (FH) Michael Friedrich
[email protected] || icinga open source monitoring
https://twitter.com/dnsmichi || lead core developer
[email protected] || https://www.icinga.org/team
irc.freenode.net/icinga || dnsmichi
>From adbc73fdbc3ac17b891aff476393d2f0dc4118ff Mon Sep 17 00:00:00 2001
From: Michael Friedrich <[email protected]>
Date: Wed, 30 Apr 2014 23:07:55 +0200
Subject: [PATCH] Wipe 'dont_blame_nrpe' and 'allow_bash_command_substitution'
for NRPE daemon - CVE-2014-2913
This breaks existing configurations having these option enabled.
Therefore the user shall get a changelog to read and notice.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745272
---
sample-config/nrpe.cfg.in | 34 ------------------
src/nrpe.c | 90 +++++------------------------------------------
2 files changed, 8 insertions(+), 116 deletions(-)
diff --git a/sample-config/nrpe.cfg.in b/sample-config/nrpe.cfg.in
index da6a280..53dc183 100644
--- a/sample-config/nrpe.cfg.in
+++ b/sample-config/nrpe.cfg.in
@@ -82,40 +82,6 @@ allowed_hosts=127.0.0.1
-# COMMAND ARGUMENT PROCESSING
-# This option determines whether or not the NRPE daemon will allow clients
-# to specify arguments to commands that are executed. This option only works
-# if the daemon was configured with the --enable-command-args configure script
-# option.
-#
-# *** ENABLING THIS OPTION IS A SECURITY RISK! ***
-# Read the SECURITY file for information on some of the security implications
-# of enabling this variable.
-#
-# Values: 0=do not allow arguments, 1=allow command arguments
-
-dont_blame_nrpe=0
-
-
-
-# BASH COMMAND SUBTITUTION
-# This option determines whether or not the NRPE daemon will allow clients
-# to specify arguments that contain bash command substitutions of the form
-# $(...). This option only works if the daemon was configured with both
-# the --enable-command-args and --enable-bash-command-substitution configure
-# script options.
-#
-# *** ENABLING THIS OPTION IS A HIGH SECURITY RISK! ***
-# Read the SECURITY file for information on some of the security implications
-# of enabling this variable.
-#
-# Values: 0=do not allow bash command substitutions,
-# 1=allow bash command substitutions
-
-allow_bash_command_substitution=0
-
-
-
# COMMAND PREFIX
# This option allows you to prefix all commands with a user-defined string.
# A space is automatically added between the specified prefix string and the
diff --git a/src/nrpe.c b/src/nrpe.c
index 381f0ac..47b4f79 100644
--- a/src/nrpe.c
+++ b/src/nrpe.c
@@ -84,9 +84,6 @@ char *allowed_hosts=NULL;
char *pid_file=NULL;
int wrote_pid_file=FALSE;
-int allow_arguments=FALSE;
-int allow_bash_command_substitution=FALSE;
-
int allow_weak_random_seed=FALSE;
int sigrestart=FALSE;
@@ -138,13 +135,6 @@ int main(int argc, char **argv){
printf("TCP Wrappers Available\n");
#endif
printf("\n");
-#ifdef ENABLE_COMMAND_ARGUMENTS
- printf("***************************************************************\n");
- printf("** POSSIBLE SECURITY RISK - COMMAND ARGUMENTS ARE SUPPORTED! **\n");
- printf("** Read the NRPE SECURITY file for more information **\n");
- printf("***************************************************************\n");
- printf("\n");
-#endif
#ifndef HAVE_LIBWRAP
printf("***************************************************************\n");
printf("** POSSIBLE SECURITY RISK - TCP WRAPPERS ARE NOT AVAILABLE! **\n");
@@ -570,11 +560,15 @@ int read_config_file(char *filename){
else if(!strcmp(varname,"nrpe_group"))
nrpe_group=strdup(varvalue);
- else if(!strcmp(varname,"dont_blame_nrpe"))
- allow_arguments=(atoi(varvalue)==1)?TRUE:FALSE;
+ else if(!strcmp(varname,"dont_blame_nrpe")) {
+ syslog(LOG_ERR,"Error: Option removed. For details check https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745272");
+ return ERROR;
+ }
- else if(!strcmp(varname,"allow_bash_command_substitution"))
- allow_bash_command_substitution=(atoi(varvalue)==1)?TRUE:FALSE;
+ else if(!strcmp(varname,"allow_bash_command_substitution")) {
+ syslog(LOG_ERR,"Error: Option removed. For details check https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745272");
+ return ERROR;
+ }
else if(!strcmp(varname,"command_timeout")){
command_timeout=atoi(varvalue);
@@ -907,20 +901,6 @@ void wait_for_connections(void){
exit(1);
}
- /* log warning about command arguments */
-#ifdef ENABLE_COMMAND_ARGUMENTS
- if(allow_arguments==TRUE)
- syslog(LOG_NOTICE,"Warning: Daemon is configured to accept command arguments from clients!");
-#ifdef ENABLE_BASH_COMMAND_SUBSTITUTION
- if(TRUE==allow_bash_command_substitution) {
- if(TRUE==allow_arguments)
- syslog(LOG_NOTICE,"Warning: Daemon is configured to accept command arguments with bash command substitutions!");
- else
- syslog(LOG_NOTICE,"Warning: Daemon is configured to accept command arguments with bash command substitutions, but is not configured to accept command argements from clients. Enable command arguments if you wish to allow command arguments with bash command substitutions.");
- }
-#endif
-#endif
-
syslog(LOG_INFO,"Listening for connections on port %d\n",htons(myname.sin_port));
if(allowed_hosts)
@@ -1892,10 +1872,6 @@ int validate_request(packet *pkt){
u_int32_t packet_crc32;
u_int32_t calculated_crc32;
char *ptr;
-#ifdef ENABLE_COMMAND_ARGUMENTS
- int x;
-#endif
-
/***** DECRYPT REQUEST ******/
@@ -1930,63 +1906,13 @@ int validate_request(packet *pkt){
return ERROR;
}
- /* make sure the request doesn't contain arguments */
- if(strchr(pkt->buffer,'!')){
-#ifdef ENABLE_COMMAND_ARGUMENTS
- if(allow_arguments==FALSE){
- syslog(LOG_ERR,"Error: Request contained command arguments, but argument option is not enabled!");
- return ERROR;
- }
-#else
- syslog(LOG_ERR,"Error: Request contained command arguments!");
- return ERROR;
-#endif
- }
-
- /* get command name */
-#ifdef ENABLE_COMMAND_ARGUMENTS
- ptr=strtok(pkt->buffer,"!");
-#else
ptr=pkt->buffer;
-#endif
command_name=strdup(ptr);
if(command_name==NULL){
syslog(LOG_ERR,"Error: Memory allocation failed");
return ERROR;
}
-#ifdef ENABLE_COMMAND_ARGUMENTS
- /* get command arguments */
- if(allow_arguments==TRUE){
-
- for(x=0;x<MAX_COMMAND_ARGUMENTS;x++){
- ptr=strtok(NULL,"!");
- if(ptr==NULL)
- break;
- macro_argv[x]=strdup(ptr);
- if(macro_argv[x]==NULL){
- syslog(LOG_ERR,"Error: Memory allocation failed");
- return ERROR;
- }
- if(!strcmp(macro_argv[x],"")){
- syslog(LOG_ERR,"Error: Request contained an empty command argument");
- return ERROR;
- }
- if(strstr(macro_argv[x],"$(")) {
-#ifndef ENABLE_BASH_COMMAND_SUBSTITUTION
- syslog(LOG_ERR,"Error: Request contained a bash command substitution!");
- return ERROR;
-#else
- if(FALSE==allow_bash_command_substitution) {
- syslog(LOG_ERR,"Error: Request contained a bash command substitution, but they are disallowed!");
- return ERROR;
- }
-#endif
- }
- }
- }
-#endif
-
return OK;
}
--
1.9.2
>From d7d046638c0db30c605097307ad35b7339e97c9a Mon Sep 17 00:00:00 2001
From: Michael Friedrich <[email protected]>
Date: Wed, 30 Apr 2014 23:07:55 +0200
Subject: [PATCH] Reject 'dont_blame_nrpe' for NRPE daemon - CVE-2014-2913
This breaks existing configurations having this option enabled. Therefore the user shall get a changelog
to read and notice.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745272
---
sample-config/nrpe.cfg.in | 16 ----------------
src/nrpe.c | 6 ++++--
2 files changed, 4 insertions(+), 18 deletions(-)
diff --git a/sample-config/nrpe.cfg.in b/sample-config/nrpe.cfg.in
index da6a280..5477edc 100644
--- a/sample-config/nrpe.cfg.in
+++ b/sample-config/nrpe.cfg.in
@@ -82,22 +82,6 @@ allowed_hosts=127.0.0.1
-# COMMAND ARGUMENT PROCESSING
-# This option determines whether or not the NRPE daemon will allow clients
-# to specify arguments to commands that are executed. This option only works
-# if the daemon was configured with the --enable-command-args configure script
-# option.
-#
-# *** ENABLING THIS OPTION IS A SECURITY RISK! ***
-# Read the SECURITY file for information on some of the security implications
-# of enabling this variable.
-#
-# Values: 0=do not allow arguments, 1=allow command arguments
-
-dont_blame_nrpe=0
-
-
-
# BASH COMMAND SUBTITUTION
# This option determines whether or not the NRPE daemon will allow clients
# to specify arguments that contain bash command substitutions of the form
diff --git a/src/nrpe.c b/src/nrpe.c
index 381f0ac..21c40a8 100644
--- a/src/nrpe.c
+++ b/src/nrpe.c
@@ -570,8 +570,10 @@ int read_config_file(char *filename){
else if(!strcmp(varname,"nrpe_group"))
nrpe_group=strdup(varvalue);
- else if(!strcmp(varname,"dont_blame_nrpe"))
- allow_arguments=(atoi(varvalue)==1)?TRUE:FALSE;
+ else if(!strcmp(varname,"dont_blame_nrpe")) {
+ syslog(LOG_ERR,"Error: Option removed. For details check https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745272");
+ return ERROR;
+ }
else if(!strcmp(varname,"allow_bash_command_substitution"))
allow_bash_command_substitution=(atoi(varvalue)==1)?TRUE:FALSE;
--
1.9.2