Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-2913

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2014-2913
Last Modified 05 Jun 2014 12:31:34
Published 07 May 2014 06:55:06
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2014-2913

Summary

** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments.

Vulnerable Systems

Operating System

  • Novell Opensuse 11.4

  • Novell Opensuse 12.3

  • Novell Opensuse 13.1

Application

  • Nagios Remote Plugin Executor 2.15


References

MLIST - [oss-security] 20140422 Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution

FULLDISC - 20140418 Re: NRPE - Nagios Remote Plugin Executor <= 2.15 Remote Command Execution

FULLDISC - 20140417 NRPE - Nagios Remote Plugin Executor <= 2.15 Remote Command Execution

SUSE - openSUSE-SU-2014:0603

SUSE - openSUSE-SU-2014:0594

SUSE - SUSE-SU-2014:0682


Last Updated: 27 May 2016 11:05:27