You are here

Blog

Nagios NRPE Security Vulnerability

Last week, we found out about a serious vulnerability in the Nagios NRPE software - used by the Opsview Agent -  which allows anyone that can connect to a monitored host to run arbitrary commands. This was first disclosed at http://seclists.org/fulldisclosure/2014/Apr/240

If your NRPE configuration has settings such as:

command[check_procs]=/usr/local/nagios/libexec/check_procs $ARG1$

 

And if you run:

check_nrpe -H localhost -c check_procs -a "`/bin/echo -e \"\n \"`touch /tmp/newfile"

 

Then /tmp/newfile will be created. This can be substituted for any command. This works because if the argument field contains a line feed, then the shell will run the subsequent characters as a separate command.

The fix is very simple - do not allow linefeeds to be in the argument field. We add the newline character to the list of NASTY_METACHARS in src/nrpe.c:

#define NASTY_METACHARS         "|`&><'\"\\[]{};\n"

 

With this new code, executing the above will now result in:

CHECK_NRPE: Received 0 bytes from daemon.  Check the remote server logs for error messages.

 

All our Opsview Agent packages have been updated to fix this issue. Upgrade immediately via our usual repositories or from our agents download.

Opsview is designed to allow centralised management of monitoring remote hosts, so we allow command arguments to be supplied making it for our users to configure thresholds and parameters through our easy user interface.

Surprisingly, this has not been fixed upstream in the core project. The mail thread (http://seclists.org/oss-sec/2014/q2/155) suggests that the proposed solution is to escape NRPE configuration instead with:

command[check_procs]=/usr/local/nagios/libexec/check_procs "$ARG1$"

 

However, this will break the reason for allowing arguments, as you cannot pass separate arguments any more.

With $ARG1$:

$ check_nrpe -H localhost -c check_procs -a "-w 1 -c 5"

PROCS WARNING: 79 processes

 

With "$ARG1$":

$ check_nrpe -H localhost -c check_procs -a "-w 1 -c 5"

PROCS OK: 80 processes

 

The behaviour is different because the arguments are no longer being intepreted separately, but instead as a single value which will not work correctly.

For additional security, we recommend you set allowed_hosts in nrpe.cfg (http://docs.opsview.com/doku.php?id=opsview4.5:designing-system#agents), setup iptables or configure firewalls to restrict the IP addresses allowed to connect to the agent.

There is always a trade off of convenience versus security. The convenience of having centralised configuration means we take a possible security risk, but we will always ensure that any known exposures will be closed as soon as possible.

 

Get unified insight into your IT operations with Opsview Monitor

webteam's picture
by Opsview Team,
Administrator
Opsview is passionately focused on monitoring that enables DevOps teams to deliver smarter business services, faster.

More like this

Feb 05, 2016
Whitepapers
By Opsview Team, Administrator

Monitoring software does not serve the purpose of replacing technical talent. Instead, it is there to make the lives of technical resources easier...

Feb 05, 2016
Whitepapers
By Opsview Team, Administrator

Opsview Monitor is able to watch many different types of hosts, from networking devices to servers. We provide a package for many servers which...

Nov 22, 2016
Blog
By David Chatterton, Customer Success Engineer

A guide in proactive monitoring that shows you how to configure Opsview to restart Windows services.