Vulnerability Description
Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nagios | Remote Plugin Executor | <= 2.15 |
| Opensuse | Opensuse | 11.4 |
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166528.
- http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00011.html
- http://lists.opensuse.org/opensuse-updates/2014-05/msg00005.html
- http://lists.opensuse.org/opensuse-updates/2014-05/msg00014.html
- http://seclists.org/fulldisclosure/2014/Apr/240Exploit
- http://seclists.org/fulldisclosure/2014/Apr/242Exploit
- http://seclists.org/oss-sec/2014/q2/154
- http://seclists.org/oss-sec/2014/q2/155
- http://www.securityfocus.com/bid/66969
- http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166528.
- http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00011.html
- http://lists.opensuse.org/opensuse-updates/2014-05/msg00005.html
- http://lists.opensuse.org/opensuse-updates/2014-05/msg00014.html
- http://seclists.org/fulldisclosure/2014/Apr/240Exploit
- http://seclists.org/fulldisclosure/2014/Apr/242Exploit
FAQ
What is CVE-2014-2913?
CVE-2014-2913 is a vulnerability with a CVSS score of 7.5 (HIGH). Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to ...
How severe is CVE-2014-2913?
CVE-2014-2913 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-2913?
Check the references section above for vendor advisories and patch information. Affected products include: Nagios Remote Plugin Executor, Opensuse Opensuse.