[Bug 1555258] Re: Request contained command arguments

Eric Desrochers eric.desrochers at canonical.com
Tue May 2 17:21:48 UTC 2017 

zesty_nagiosnrpe_lp1555258.debdiff

** Patch added: "zesty_nagiosnrpe_lp1555258.debdiff"
   https://bugs.launchpad.net/ubuntu/xenial/+source/nagios-nrpe/+bug/1555258/+attachment/4870940/+files/zesty_nagiosnrpe_lp1555258.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

Status in nagios-nrpe package in Ubuntu:
  Fix Released
Status in nagios-nrpe source package in Xenial:
  In Progress
Status in nagios-nrpe source package in Yakkety:
  In Progress
Status in nagios-nrpe source package in Zesty:
  In Progress
Status in nagios-nrpe source package in Artful:
  Fix Released
Status in nagios-nrpe package in Debian:
  Fix Released

Bug description:
  [Impact]

   * Debian upstream maintainer decided to compile without "-enable-command-args" as describe in debian/NEWS file. This decision have the effect of ignoring the following directive : "dont_blame_nrpe=1" in nrpe.cfg by not allowing command argument in the deamon.
  Debian disabled the option because there were concerns about security problems and that this feature is often used wrong [0] but there are Ubuntu users out there that know what they're doing and depend on this feature.

   * The expectation is for Ubuntu to deviate from Debian upstream
  decision to accommodate Ubuntu Nagios users.

  * Doug's comment explain well the situation :
  https://bugs.launchpad.net/ubuntu/xenial/+source/nagios-nrpe/+bug/1555258/comments/6

  [0] - Debian Bug:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756479

  [Test Case]

   * This require a Nagios environment setup (Server and at least 1
  client)

   * Command example run at server side using "dont_blame_nrpe" set to either 0 (false) or 1 (true) in nrpe.cfg
  $ /usr/lib/nagios/plugins/check_nrpe -H x.x.x.x -p 5664 -c check_procs -a rsyslogd 1 0
  CHECK_NRPE: Received 0 bytes from daemon.  Check the remote server logs for error messages.

  Server logs:
  nrpe[83523]: Connection from y.y.y.y port 43186
  nrpe[83523]: Host address is in allowed_hosts
  nrpe[83523]: Handling the connection...
  ==> nrpe[83523]: Error: Request contained command arguments!
  ==> nrpe[83523]: Client request was invalid, bailing out..

  [Regression Potential]

   * This update enables the command-args (at compile time) support in nrpe by NOT ignoring option "dont_blame_nrpe=1" IFF set manually.
     Note that by default, the option is DISABLE in the configuration file (nrpe.cfg) : "dont_blame_nrpe=0".

   * For users using the default value "dont_blame_nrpe=0", so no behavioural change. With regard to the risk, I would say it is LOW.
     The option is disable by default meaning that it doesn't introduce any security risk for users that doesn't rely on this feature.
     But it doesn't prevent the risk that non-experimented users enable the option without considering all the security risk aspects.

   * For users choosing to manually enable this option, the risk is
  HIGHER, but we assume that before enabling this option the users are
  considering the PROS and CONS.

   * Deviating from Debian upstream for that particular case will allow to unblock experimented Ubuntu users (who know what they are doing) of nrpe to make the choice for themselves whether to
     accept the security risks that the feature involve by manually enabling command-args in nrpe.cfg or not.

   * Canonical Security team feedbacks :
     https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/comments/9

     ...
     If this feature is enabled in an SRU, the upload must include the fix for CVE-2013-1362:
     ...

   * COMMAND ARGUMENTS
     NRPE 2.0 includes the ability for clients to supply arguments to commands which should be run. Please note that this feature should be considered a security risk, and you should only use it if you know what you're doing!
     https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md#command-arguments

  Note that Artful and Zesty already has the commit mentioned by Tyler :
  a/nagios-nrpe-3.0.1/src/nrpe.c:#define NASTY_METACHARS					"|`&><'\\[]{};\r\n"
  z/nagios-nrpe-3.0.1/src/nrpe.c:#define NASTY_METACHARS					"|`&><'\\[]{};\r\n"

  Thus, only Xenial and Yakkety requires it.
  x/nagios-nrpe-2.15/src/nrpe.c:#define NASTY_METACHARS         "|`&><'\"\\[]{};"
  y/nagios-nrpe-2.15/src/nrpe.c:#define NASTY_METACHARS         "|`&><'\"\\[]{};"

  [Other Info]

  * CVE-2013-1362 :

  Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In
  Executor (NRPE) before 2.14 might allow remote attackers to execute
  arbitrary shell commands via "$()" shell metacharacters, which are
  processed by bash.

  https://github.com/NagiosEnterprises/nrpe/commit/5bf9b2047f8e9a8609c3b95b2e655368765e4dd1

  [Original Description]

  Ubuntu 15.10 (upgraded from 12.04)

  Have tried a full purged removal of nagios-nrpe-server and reinstall
  however the "dont_blame_nrpe=1" setting in nrpe.cfg is still being
  ignored.

  /var/log/syslog reports:

  Mar  9 12:33:58 myhost nrpe[17153]: Error: Request contained command arguments!
  Mar  9 12:33:58 myhost nrpe[17153]: Client request was invalid, bailing out...

  All checks of this box have stopped working since the upgrade and I
  would like to get to the bottom of why NRPE is not honoring my request
  to allow command arguments.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

More information about the Ubuntu-sponsors mailing list