[Pkg-nagios-devel] Bug#745272: Bug#745272: Bug#745272: Exploited by botnet

Michael Friedrich michael.friedrich at gmail.com
Wed Apr 30 21:43:32 UTC 2014 

On 30.04.2014 20:15, Alexander Wirt wrote:
> On Wed, 30 Apr 2014, Jan Lühr wrote:
>
>> Hello,
>>
>> there some reports, that these issue is exploited by a bonnet.
>> Please consider pushing security updates.
> As said this is considered a feature by upstream. And to be honest, people
> that are so stupid to allow dont_blame_nrpe + allowed_hosts=0.0.0.0/0
> deserved a heise news entry.
>
> I won't have time in the next days to write a patch for this. And if I would
> do such a patch it will remove dont_blame_nrpe at all for all time.
>
> So if you are interested in getting this nonsense working, feel free to
> provide a patch.

Try the ones attached - it essentially breaks existing modified 
configurations having that option set and will refuse to start the 
daemon if not removed.
Therefore a changelog entry on upgrade would be reasonable imho.

Seems that nagios upstream will never provide a fix as they consider 
nrpe "secure" and security holes as "feature"... (if you find the 
sarcasm, it's free and does not require a do-it-yourself-license)

0001-Reject-dont_blame_nrpe-for-NRPE-daemon-CVE-2014-2913.patch - simply 
disables dont_blame_nrpe and bails out if the option remains set in nrpe.cfg

or

0001-Wipe-dont_blame_nrpe-and-allow_bash_command_substitu.patch - 
entirely remove all related CVE affected code. Did not change configure, 
too many changes between the ancient autoconf 2.59 and 2.69 in testing. 
--enable-command-args is therefore useless, but since it's binary 
packages it doesn't hurt much for debian users here.

hth
Michael



-- 
DI (FH) Michael Friedrich

michael.friedrich at gmail.com  || icinga open source monitoring
https://twitter.com/dnsmichi || lead core developer
dnsmichi at jabber.ccc.de       || https://www.icinga.org/team
irc.freenode.net/icinga      || dnsmichi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Wipe-dont_blame_nrpe-and-allow_bash_command_substitu.patch
Type: text/x-patch
Size: 6967 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20140430/c222f3e2/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Reject-dont_blame_nrpe-for-NRPE-daemon-CVE-2014-2913.patch
Type: text/x-patch
Size: 2185 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20140430/c222f3e2/attachment-0001.bin>

More information about the Pkg-nagios-devel mailing list