Vulnerability Name:

CVE-2014-2913

Assigned:2014-04-18
Published:2014-05-07
Updated:2016-12-21
Summary:** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments.
CVSS v3 Severity:7.3 High (CCN CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
References:Source: FEDORA
Type: UNKNOWN
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166528.html

Source: SUSE
Type: UNKNOWN
http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00011.html

Source: SUSE
Type: UNKNOWN
http://lists.opensuse.org/opensuse-updates/2014-05/msg00005.html

Source: SUSE
Type: UNKNOWN
http://lists.opensuse.org/opensuse-updates/2014-05/msg00014.html

Source: FULLDISC
Type: UNKNOWN
20140417 NRPE - Nagios Remote Plugin Executor <= 2.15 Remote Command Execution

Source: FULLDISC
Type: UNKNOWN
20140418 Re: NRPE - Nagios Remote Plugin Executor <= 2.15 Remote Command Execution

Source: MLIST
Type: UNKNOWN
http://seclists.org/oss-sec/2014/q2/154

Source: MLIST
Type: UNKNOWN
http://seclists.org/oss-sec/2014/q2/155

Source: BID
Type: UNKNOWN
66969

Vulnerable Configuration:Configuration 1:
  • cpe:/o:novell:opensuse:11.4:*:*:*:*:*:*:*
  • OR cpe:/o:novell:opensuse:12.3:*:*:*:*:*:*:*
  • OR cpe:/o:novell:opensuse:13.1:*:*:*:*:*:*:*
  • OR cpe:/a:nagios:remote_plugin_executor:2.15:*:*:*:*:*:*:*

  • Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20142913
    V
    CVE-2014-2913
    2017-09-24
    oval:org.mitre.oval:def:25346
    P
    SUSE-SU-2014:0682-1 -- Security update for nagios-nrpe, nagios-nrpe-debuginfo, nagios-nrpe-debugsource, nagios-nrpe-doc, nagios-plugins-nrpe
    2014-09-08
    oval:com.ubuntu.precise:def:20142913000
    V
    CVE-2014-2913 on Ubuntu 12.04 LTS (precise) - low.
    2014-05-07
    oval:com.ubuntu.trusty:def:20142913000
    V
    CVE-2014-2913 on Ubuntu 14.04 LTS (trusty) - low.
    2014-05-07
    oval:com.ubuntu.xenial:def:20142913000
    V
    CVE-2014-2913 on Ubuntu 16.04 LTS (xenial) - low.
    2014-05-07
    BACK
    novell opensuse 11.4
    novell opensuse 12.3
    novell opensuse 13.1
    nagios remote_plugin_executor 2.15