[Pkg-nagios-devel] Bug#849417: Bug#849417: nagios-nrpe-server: segfault during SSL negotiation with older NRPE 2.15 plugin
Adam Di Carlo
adam at onshored.com
Wed Dec 28 18:07:16 UTC 2016
Sebastiaan Couwenberg <sebastic at xs4all.nl> writes:
> As documented in /usr/share/doc/nagios-nrpe-server/NEWS.Debian.gz which
> is shown to you on upgrade when you have apt-listchanges installed:
> Beware that the new NRPE daemon only works with old check_nrpe
> plugins when SSL support is disabled on both sides, likewise the
> new check_nrpe plugin only works with the old NRPE daemon when SSL
> support is disabled.
Oh! I totally didn't see that. Ok. So what I'm trying to do will
never work and I need to disable SSL for all NRPE servers as well as on
my (Jessie) nagios server.
> To use SSL between the NRPE client and server, configuring Stunnel
> is recommended.
I suppose that disabling SSL, so long as I also disable the NRPE
argument processing on the older NRPEs which allow it, won't create too
many security issues on an internal network. The most an attacker could
do, assuming they could spoof my the one allowed IP that commands can
come from, is run the checks configured on the NRPE server. So, there
is a denial-of-service risk here but not much more than that....
Pardon me for failing to RTM here.
> Due to the signal handler in NRPE you won't easily get a backtrace since
> SIGSEGV is caught too and NRPE just continues instead of terminating. If
> you can get a backtrace (with debug symbols installed) that would be
Ok, I'll give it a whack. Lets leave the bug in "moreinfo" until I get
that. I do believe I need to rebuild the package with '-g' to get
symbols out, which I've done. Off to work for now but I'll give this
another attempt, should have result by no later than end of day tomorrow.
...Adam Di Carlo...<adam at onshored.com>.......<URL:http://www.onshored.com/>
More information about the Pkg-nagios-devel