CVE-2014-2913

Name of the Vulnerable Software and Affected Versions Nagios Remote Plugin Executor (NRPE) versions 2.15 and earlier

Description The issue is related to an incomplete blacklist vulnerability in the Nagios Remote Plugin Executor (NRPE), which allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check nrpe. This issue can only occur when the administrator enables the "dont blame nrpe" option in nrpe.conf, despite the "HIGH security risk" warning within the comments. It has been reported that the vendor allows newlines as "expected behavior." The issue is disputed by multiple parties.

Recommendations For Nagios Remote Plugin Executor (NRPE) versions 2.15 and earlier, consider disabling the "dont blame nrpe" option in nrpe.conf to minimize the risk of exploitation. As a temporary workaround, restrict access to the libexec/check nrpe endpoint to prevent remote attackers from executing arbitrary commands. At the moment, there is no information about a newer version that contains a fix for this vulnerability.