SB2013041213 - OS Command Injection in nrpe (Alpine package)
Published: April 12, 2013
Security Bulletin ID
SB2013041213
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) OS Command Injection (CVE-ID: CVE-2013-1362)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=6aae23e6b0728ce3aa88986707e0dc22db3ec67d
- https://git.alpinelinux.org/aports/commit/?id=074165486515f6ff65577079ab0d88783cbbefa7
- https://git.alpinelinux.org/aports/commit/?id=a5ea713c5b27940381f4007a003a491debbfc343
- https://git.alpinelinux.org/aports/commit/?id=f050eaa469a79457c23ea32c3120fac54f2c1b27