Vulnerability CVE-2013-1362

Vulnerability Name:

CVE-2013-1362 (CCN-82425)

Assigned:

2013-02-22

Published:

2013-02-22

Updated:

2018-10-30

Summary:

Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash.

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
6.2 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
6.2 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-20

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2013-1362

Source: CCN
Type: Nagios Web site
Nagios Exchange - NRPE - Nagios Remote Plugin Executor

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2013:0621

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2013:0624

Source: BUGTRAQ
Type: UNKNOWN
20130221 OSEC-2013-01: nagios metacharacter filtering omission

Source: EXPLOIT-DB
Type: UNKNOWN
24955

Source: MISC
Type: UNKNOWN
http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability

Source: CCN
Type: BID-58142
NRPE 'nrpc.c' Arbitrary Command Execution Vulnerability

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.novell.com/show_bug.cgi?id=807241

Source: XF
Type: UNKNOWN
nagiosnrpe-nrpc-command-execution(82425)

Source: CCN
Type: Packet Storm Security [02-23-2013]
Nagios NRPE 2.13 Code Execution

Source: CCN
Type: Packet Storm Security [04-12-2013]
Nagios Remote Plugin Executor Arbitrary Command Execution

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [04-12-2013]

Vulnerable Configuration:

Configuration 1:

cpe:/o:opensuse:opensuse:11.4:*:*:*:*:*:*:*

OR cpe:/o:opensuse:opensuse:12.1:*:*:*:*:*:*:*

OR cpe:/o:opensuse:opensuse:12.2:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:nagios:remote_plug_in_executor:1.3:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:1.4:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:1.5:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:1.6:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:1.7:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:1.8:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:1.9:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:2.0:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:2.0b1:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:2.0b2:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:2.0b3:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:2.0b4:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:2.0b5:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:2.3:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:2.4:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:2.5:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:2.5.1:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:2.5.2:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:2.6:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:2.7:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:2.7.1:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:2.8:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:2.8.1:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:2.8b1:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:2.9:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:2.10:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:2.11:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:2.12:*:*:*:*:*:*:*

OR cpe:/a:nagios:remote_plug_in_executor:*:*:*:*:*:*:*:* (Version <= 2.13)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20131362	V	CVE-2013-1362	2022-05-20
oval:org.opensuse.security:def:33117	P	Security update for openexr (Important)	2022-01-12
oval:org.opensuse.security:def:33116	P	Security update for libvirt (Important)	2022-01-10
oval:org.opensuse.security:def:26223	P	Security update for net-snmp (Important)	2022-01-05
oval:org.opensuse.security:def:29461	P	Security update for xorg-x11-server (Important)	2021-12-14
oval:org.opensuse.security:def:31715	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:31714	P	Security update for webkit2gtk3 (Important)	2021-12-01
oval:org.opensuse.security:def:34590	P	Security update for MozillaFirefox (Important)	2021-11-17
oval:org.opensuse.security:def:33739	P	Security update for MozillaFirefox (Important)	2021-11-17
oval:org.opensuse.security:def:26139	P	Security update for libvirt (Moderate)	2021-10-04
oval:org.opensuse.security:def:33952	P	Security update for libsndfile (Critical)	2021-08-05
oval:org.opensuse.security:def:29404	P	Security update for libsndfile (Critical)	2021-08-05
oval:org.opensuse.security:def:26082	P	Security update for openexr (Important)	2021-06-24
oval:org.opensuse.security:def:42655	P	nagios-nrpe-2.12-24.4.10.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:36248	P	nagios-nrpe-2.12-24.4.10.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:33908	P	Security update for graphviz (Critical)	2021-05-19
oval:org.opensuse.security:def:32081	P	Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)	2021-04-28
oval:org.opensuse.security:def:34630	P	Security update for java-1_7_1-ibm (Important)	2021-02-18
oval:org.opensuse.security:def:31726	P	Security update for the Linux Kernel (Important)	2021-02-12
oval:org.opensuse.security:def:32168	P	Security update for openvswitch (Important)	2021-02-02
oval:org.opensuse.security:def:33884	P	Security update for xen (Moderate)	2020-12-22
oval:org.opensuse.security:def:33207	P	mozilla-nspr-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25809	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:26476	P	Security update for nextcloud (Moderate)	2020-12-01
oval:org.opensuse.security:def:29106	P	Security update for java-1_6_0-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:29699	P	Security update for fetchmail (Moderate)	2020-12-01
oval:org.opensuse.security:def:33172	P	libpng12-0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33342	P	Security update for openldap2 (Important)	2020-12-01
oval:org.opensuse.security:def:25873	P	Security update for libcares2 (Low)	2020-12-01
oval:org.opensuse.security:def:26515	P	MozillaFirefox on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29107	P	Security update for java-1_6_0-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:29753	P	Security update for ghostscript-library (Moderate)	2020-12-01
oval:org.opensuse.security:def:33211	P	nagios-nrpe on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33437	P	Security update for dhcp-client	2020-12-01
oval:org.opensuse.security:def:26001	P	Security update for openexr (Moderate)	2020-12-01
oval:org.opensuse.security:def:26529	P	cifs-mount on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29118	P	Security update for java-1_7_0-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:29802	P	Security update for inn	2020-12-01
oval:org.opensuse.security:def:32324	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:33494	P	Security update for libvirt	2020-12-01
oval:org.opensuse.security:def:26573	P	kernel-default on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29187	P	Security update for mysql (Important)	2020-12-01
oval:org.opensuse.security:def:29841	P	Security update for Linux kernel	2020-12-01
oval:org.opensuse.security:def:32380	P	Security update for tiff (Moderate)	2020-12-01
oval:org.opensuse.security:def:33582	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:27211	P	libpython2_6-1_0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29318	P	Security update for compat-openssl097g	2020-12-01
oval:org.opensuse.security:def:29859	P	Security update for Linux kernel	2020-12-01
oval:org.opensuse.security:def:32429	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:27246	P	nagios-nrpe on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29903	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:31800	P	Security update for SuSEfirewall2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:32468	P	Security update for xorg-x11-libs (Moderate)	2020-12-01
oval:org.opensuse.security:def:33796	P	Security update for gcc43 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25797	P	Security update for flash-player (Important)	2020-12-01
oval:org.opensuse.security:def:26374	P	Security update for chromium (Important)	2020-12-01
oval:org.opensuse.security:def:30541	P	Security update for java-1_7_0-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:31932	P	Security update for libX11 (Moderate)	2020-12-01
oval:org.opensuse.security:def:32490	P	avahi on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33128	P	krb5 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33845	P	Security update for gtk2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25798	P	Security update for flash-player (Critical)	2020-12-01
oval:org.opensuse.security:def:26427	P	Security update for python-Django (Moderate)	2020-12-01
oval:org.opensuse.security:def:29546	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:30578	P	Security update for nagios-nrpe, nagios-plugins-nrpe	2020-12-01
oval:org.opensuse.security:def:32024	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:32534	P	kde4-kgreeter-plugins on GA media (Moderate)	2020-12-01
oval:org.mitre.oval:def:25913	P	SUSE-SU-2013:1219-1 -- Security update for nagios-nrpe, nagios-plugins-nrpe	2014-09-08
oval:com.ubuntu.precise:def:20131362000	V	CVE-2013-1362 on Ubuntu 12.04 LTS (precise) - low.	2013-07-09
oval:com.ubuntu.trusty:def:20131362000	V	CVE-2013-1362 on Ubuntu 14.04 LTS (trusty) - low.	2013-07-09
oval:com.ubuntu.xenial:def:201313620000000	V	CVE-2013-1362 on Ubuntu 16.04 LTS (xenial) - low.	2013-07-09
oval:com.ubuntu.xenial:def:20131362000	V	CVE-2013-1362 on Ubuntu 16.04 LTS (xenial) - low.	2013-07-09

BACK