Request contained command arguments
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nagios-nrpe (Debian) |
Fix Released
|
Unknown
|
|||
nagios-nrpe (Ubuntu) |
Fix Released
|
Medium
|
Eric Desrochers | ||
Xenial |
Fix Released
|
Medium
|
Eric Desrochers | ||
Yakkety |
Fix Released
|
Medium
|
Eric Desrochers | ||
Zesty |
Fix Released
|
Medium
|
Eric Desrochers | ||
Artful |
Fix Released
|
Medium
|
Eric Desrochers |
Bug Description
[Impact]
* Debian upstream maintainer decided to compile without "-enable-
Debian disabled the option because there were concerns about security problems and that this feature is often used wrong [0] but there are Ubuntu users out there that know what they're doing and depend on this feature.
* The expectation is for Ubuntu to deviate from Debian upstream decision to accommodate Ubuntu Nagios users.
* Doug's comment explain well the situation :
https:/
[0] - Debian Bug:
https:/
[Test Case]
* This require a Nagios environment setup (Server and at least 1 client)
* Command example run at server side using "dont_blame_nrpe" set to either 0 (false) or 1 (true) in nrpe.cfg
$ /usr/lib/
CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages.
Server logs:
nrpe[83523]: Connection from y.y.y.y port 43186
nrpe[83523]: Host address is in allowed_hosts
nrpe[83523]: Handling the connection...
==> nrpe[83523]: Error: Request contained command arguments!
==> nrpe[83523]: Client request was invalid, bailing out..
[Regression Potential]
* This update enables the command-args (at compile time) support in nrpe by NOT ignoring option "dont_blame_nrpe=1" IFF set manually.
Note that by default, the option is DISABLE in the configuration file (nrpe.cfg) : "dont_blame_
* For users using the default value "dont_blame_
The option is disable by default meaning that it doesn't introduce any security risk for users that doesn't rely on this feature.
But it doesn't prevent the risk that non-experimented users enable the option without considering all the security risk aspects.
* For users choosing to manually enable this option, the risk is HIGHER, but we assume that before enabling this option the users are considering the PROS and CONS.
* Deviating from Debian upstream for that particular case will allow to unblock experimented Ubuntu users (who know what they are doing) of nrpe to make the choice for themselves whether to
accept the security risks that the feature involve by manually enabling command-args in nrpe.cfg or not.
* Canonical Security team feedbacks :
https:/
...
If this feature is enabled in an SRU, the upload must include the fix for CVE-2013-1362:
...
* COMMAND ARGUMENTS
NRPE 2.0 includes the ability for clients to supply arguments to commands which should be run. Please note that this feature should be considered a security risk, and you should only use it if you know what you're doing!
https:/
Note that Artful and Zesty already has the commit mentioned by Tyler :
a/nagios-
z/nagios-
Thus, only Xenial and Yakkety requires it.
x/nagios-
y/nagios-
[Other Info]
* CVE-2013-1362 :
Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash.
https:/
[Original Description]
Ubuntu 15.10 (upgraded from 12.04)
Have tried a full purged removal of nagios-nrpe-server and reinstall however the "dont_blame_nrpe=1" setting in nrpe.cfg is still being ignored.
/var/log/syslog reports:
Mar 9 12:33:58 myhost nrpe[17153]: Error: Request contained command arguments!
Mar 9 12:33:58 myhost nrpe[17153]: Client request was invalid, bailing out...
All checks of this box have stopped working since the upgrade and I would like to get to the bottom of why NRPE is not honoring my request to allow command arguments.
CVE References
Changed in nagios-nrpe (Debian): | |
status: | Unknown → Fix Released |
Changed in nagios-nrpe (Ubuntu): | |
status: | Invalid → New |
tags: | added: sts |
Changed in nagios-nrpe (Ubuntu): | |
status: | New → Won't Fix |
status: | Won't Fix → New |
description: | updated |
Changed in nagios-nrpe (Ubuntu Xenial): | |
status: | New → Confirmed |
Changed in nagios-nrpe (Ubuntu Yakkety): | |
status: | New → Confirmed |
Changed in nagios-nrpe (Ubuntu Zesty): | |
status: | New → Confirmed |
description: | updated |
description: | updated |
Changed in nagios-nrpe (Ubuntu Xenial): | |
assignee: | nobody → Eric Desrochers (slashd) |
Changed in nagios-nrpe (Ubuntu Yakkety): | |
assignee: | nobody → Eric Desrochers (slashd) |
Changed in nagios-nrpe (Ubuntu Zesty): | |
assignee: | nobody → Eric Desrochers (slashd) |
Changed in nagios-nrpe (Ubuntu Artful): | |
assignee: | nobody → Eric Desrochers (slashd) |
importance: | Undecided → Wishlist |
importance: | Wishlist → Low |
Changed in nagios-nrpe (Ubuntu Zesty): | |
importance: | Undecided → Low |
Changed in nagios-nrpe (Ubuntu Yakkety): | |
importance: | Undecided → Low |
Changed in nagios-nrpe (Ubuntu Xenial): | |
importance: | Undecided → Low |
tags: | added: sts-sru |
description: | updated |
Changed in nagios-nrpe (Ubuntu Xenial): | |
status: | Confirmed → In Progress |
Changed in nagios-nrpe (Ubuntu Yakkety): | |
status: | Confirmed → In Progress |
Changed in nagios-nrpe (Ubuntu Zesty): | |
status: | Confirmed → In Progress |
Changed in nagios-nrpe (Ubuntu Artful): | |
status: | Confirmed → In Progress |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in nagios-nrpe (Ubuntu Artful): | |
importance: | Low → Medium |
Changed in nagios-nrpe (Ubuntu Zesty): | |
importance: | Low → Medium |
Changed in nagios-nrpe (Ubuntu Yakkety): | |
importance: | Low → Medium |
Changed in nagios-nrpe (Ubuntu Xenial): | |
importance: | Low → Medium |
description: | updated |
tags: |
added: verification-done-zesty removed: verification-needed |
Changed in nagios-nrpe (Ubuntu Xenial): | |
status: | Fix Released → Fix Committed |
I have the same problem, seems that debian removed the setting dont_blame_nrpe=1
http:// metadata. ftp-master. debian. org/changelogs/ main/n/ nagios- nrpe/nagios- nrpe_2. 15-1_changelog
[eec54b6] Adjust README.Debian for the removal or argument processing
Running Ubuntu 16.04 LTS
nagios-nrpe-plugin 2.15-0ubuntu1 amd64 Nagios Remote Plugin Executor Plugin
nagios-nrpe-server 2.15-1ubuntu1 amd64 Nagios Remote Plugin Executor Server