This bug was fixed in the package nagios-nrpe - 2.15-1ubuntu1.1
---------------
nagios-nrpe (2.15-1ubuntu1.1) xenial; urgency=medium
* debian/rules : Add "--enable-command-args". (LP: #1555258)
This update enables the command-args support in nrpe
by not ignoring option "dont_blame_nrpe=1". By default,
the option is set as follow : "dont_blame_nrpe=0", which
has the same effect of having the command-args support
disabled at compile time like Debian does. Ubuntu has decided
to deviate from Debian upstream for that particular case to
allow/unblock the Ubuntu users of nrpe to make the choice for
themselves whether to accept the security risks that the feature
involve by manually enabling command-args in nrpe.cfg or not.
For more details as of why Debian has decided to disable the
feature can be found in debian/NEWS. (closes: #756479)
* [5bf9b20] Add 10_remote_execution_exploit_fix.dpatch patch (LP: #1555258)
As requested by the security team.
-- Eric Desrochers <eric.desroch...@canonical.com> Tue, 02 May 2017
14:21:47 -0400
** Changed in: nagios-nrpe (Ubuntu Xenial)
Status: Fix Committed => Fix Released
** Changed in: nagios-nrpe (Ubuntu Yakkety)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1555258
Title:
Request contained command arguments
Status in nagios-nrpe package in Ubuntu:
Fix Released
Status in nagios-nrpe source package in Xenial:
Fix Released
Status in nagios-nrpe source package in Yakkety:
Fix Released
Status in nagios-nrpe source package in Zesty:
Fix Released
Status in nagios-nrpe source package in Artful:
Fix Released
Status in nagios-nrpe package in Debian:
Fix Released
Bug description:
[Impact]
* Debian upstream maintainer decided to compile without
"-enable-command-args" as describe in debian/NEWS file. This decision have the
effect of ignoring the following directive : "dont_blame_nrpe=1" in nrpe.cfg by
not allowing command argument in the deamon.
Debian disabled the option because there were concerns about security
problems and that this feature is often used wrong [0] but there are Ubuntu
users out there that know what they're doing and depend on this feature.
* The expectation is for Ubuntu to deviate from Debian upstream
decision to accommodate Ubuntu Nagios users.
* Doug's comment explain well the situation :
https://bugs.launchpad.net/ubuntu/xenial/+source/nagios-nrpe/+bug/1555258/comments/6
[0] - Debian Bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756479
[Test Case]
* This require a Nagios environment setup (Server and at least 1
client)
* Command example run at server side using "dont_blame_nrpe" set to either 0
(false) or 1 (true) in nrpe.cfg
$ /usr/lib/nagios/plugins/check_nrpe -H x.x.x.x -p 5664 -c check_procs -a
rsyslogd 1 0
CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for
error messages.
Server logs:
nrpe[83523]: Connection from y.y.y.y port 43186
nrpe[83523]: Host address is in allowed_hosts
nrpe[83523]: Handling the connection...
==> nrpe[83523]: Error: Request contained command arguments!
==> nrpe[83523]: Client request was invalid, bailing out..
[Regression Potential]
* This update enables the command-args (at compile time) support in nrpe by
NOT ignoring option "dont_blame_nrpe=1" IFF set manually.
Note that by default, the option is DISABLE in the configuration file
(nrpe.cfg) : "dont_blame_nrpe=0".
* For users using the default value "dont_blame_nrpe=0", so no behavioural
change. With regard to the risk, I would say it is LOW.
The option is disable by default meaning that it doesn't introduce any
security risk for users that doesn't rely on this feature.
But it doesn't prevent the risk that non-experimented users enable the
option without considering all the security risk aspects.
* For users choosing to manually enable this option, the risk is
HIGHER, but we assume that before enabling this option the users are
considering the PROS and CONS.
* Deviating from Debian upstream for that particular case will allow to
unblock experimented Ubuntu users (who know what they are doing) of nrpe to
make the choice for themselves whether to
accept the security risks that the feature involve by manually enabling
command-args in nrpe.cfg or not.
* Canonical Security team feedbacks :
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/comments/9
...
If this feature is enabled in an SRU, the upload must include the fix for
CVE-2013-1362:
...
* COMMAND ARGUMENTS
NRPE 2.0 includes the ability for clients to supply arguments to commands
which should be run. Please note that this feature should be considered a
security risk, and you should only use it if you know what you're doing!
https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md#command-arguments
Note that Artful and Zesty already has the commit mentioned by Tyler :
a/nagios-nrpe-3.0.1/src/nrpe.c:#define NASTY_METACHARS
"|`&><'\\[]{};\r\n"
z/nagios-nrpe-3.0.1/src/nrpe.c:#define NASTY_METACHARS
"|`&><'\\[]{};\r\n"
Thus, only Xenial and Yakkety requires it.
x/nagios-nrpe-2.15/src/nrpe.c:#define NASTY_METACHARS
"|`&><'\"\\[]{};"
y/nagios-nrpe-2.15/src/nrpe.c:#define NASTY_METACHARS
"|`&><'\"\\[]{};"
[Other Info]
* CVE-2013-1362 :
Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In
Executor (NRPE) before 2.14 might allow remote attackers to execute
arbitrary shell commands via "$()" shell metacharacters, which are
processed by bash.
https://github.com/NagiosEnterprises/nrpe/commit/5bf9b2047f8e9a8609c3b95b2e655368765e4dd1
[Original Description]
Ubuntu 15.10 (upgraded from 12.04)
Have tried a full purged removal of nagios-nrpe-server and reinstall
however the "dont_blame_nrpe=1" setting in nrpe.cfg is still being
ignored.
/var/log/syslog reports:
Mar 9 12:33:58 myhost nrpe[17153]: Error: Request contained command
arguments!
Mar 9 12:33:58 myhost nrpe[17153]: Client request was invalid, bailing out...
All checks of this box have stopped working since the upgrade and I
would like to get to the bottom of why NRPE is not honoring my request
to allow command arguments.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp
