SuSE Update For NRPE OpenSUSE-SU-2013:0621-1 (NRPE) Network Vulnerability

Solution

Please Install the Updated Packages.

Insight

NRPE (the Nagios Remote Plug-In Executor) allows the passing of $() to plugins/scripts which, if run under bash, will execute that shell command under a subprocess and pass the output as a parameter to the called script. Using this, it is possible to get called scripts, such as check_http, to execute arbitrary commands under the uid that NRPE/nagios is running as (typically, 'nagios'). With this update NRPE will deny remote requests containing a bash command substitution.

Affected

NRPE on openSUSE 12.2, openSUSE 12.1

References

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00005.html

Updated on 2015-03-25

Severity

Classification

CVE CVE-2013-1362

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

SLES10: Security update for IBM Java 1.5.0
SLES10: Security update for Epiphany
SLES10: Security update for IBM Java 1.4.2
SLES10: Security update for CUPS
SLES10: Security update for liblcms

SuSE Update for NRPE openSUSE-SU-2013:0621-1 (NRPE)

Take action and discover your vulnerabilities