Nagios Remote Plugin Executor Vulnerability

Nagios is an open source computer system monitoring, network monitoring and infrastructure monitoring software application. Nagios offers monitoring and alerting services for servers, switches, applications, and services. It alerts the users when things go wrong and alerts them a second time when the problem has been resolved.

The NRPE (Nagios Remote Plugin Executor) addon is designed to allow you to execute Nagios plugins on remote Linux/Unix machines. The main reason for doing this is to allow Nagios to monitor “local” resources (like CPU load, memory usage, etc.) on remote machines. Since these public resources are not usually exposed to external machines, an agent like NRPE must be installed on the remote Linux/Unix machines.

Current Vulnerability

Nagios Remote Plugin Executor (NRPE) contains a vulnerability that could allow an attacker to remotely inject and execute arbitrary code on the host under NRPE account (typically ‘nagios’). The vulnerability is due to NRPE not properly sanitizing user input before passing it to a command shell as a part of a configured command. In order for an attacker to take advantage of the host NRPE must be compiled and configured with command arguments. No authentication is required to exploit this vulnerability if the NRPE port has not been protected with a firewall.

Current version of NRPE 2.15 and older are vulnerable.

 

Solution

  • Disable command arguments if possible.
  • Protect access to NRPE port and only allow access from a trusted nagios server.
  • Install updated version of NRPE when it becomes available.

More Information

Source: SANS Institute