Apparently that’s only one half of truth. Just with implementing TLS, you are still in exposure to MITM attacks. There are additional measurements required, like browsers validating the CN against the exposed FQDN or certificate authorities.
In addition to that, another layer of security with only allowing a list of CNs to connect and doing more than a TLS handshake, also is helpful. You can see that with the Zone hierarchy with Endpoint objects matching the CN in Icinga. That way only configured and known agents are really allowed to e.g. receive commands and send back check results.
Versions
NRPE v2 uses the precompiled anon DH secret, meaning to say that the exact same Debian binary can be used to trust each other. If allowed_hosts
is set to any address, you can happily to talk to any NRPE agent in the world. Finding out about the used operation system and NRPE version is fairly easy these days, just trial and error.
TL;DR - TLS is broken in NRPEv2, don’t use it.
NRPE v3 optionally added certificate support next to the old DH methods.
Compatibility
v3 has one problem - it uses a different protocol than v2, and leaving away other agents implementing NRPE support, like NSClient++. So in case you’d want to monitor Windows agents with NSClient++, you are bound to NRPEv2 and anon DH TLS.
Security?
Also, NRPE does not enforce TLS by default. You need to go an extra mile with securing your environment which imho is the wrong strategy in modern times.
Certificates are also an extra step.
# Values: 0 = Don't ask for or require client certificates (default)
TLS Versions
And just that I read it, you are eligible to use older weak versions of TLS than 1.2, especially SSLv3. That is the default (!).
The ssl_version
directive lets you set which versions of SSL/TLS you want to allow. SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 are allowed.
Ciphers
With Icinga 2.11, we’ve analyzed the available ciphers in TLS in deep. That made us remove common weak cipher suites.
Now when I look at the NRPEv3 defaults, this includes
#ssl_cipher_list=ALL:!MD5:@STRENGTH:@SECLEVEL=0
If you really want to use old and broken certificates use the custom configuration option tls-cipher “DEFAULT:@SECLEVEL=0”
Worth a read:
https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/
Extensions
The CN is not written into the certificate subject following these instructions. Therefore additional measurements after TLS handshake cannot be taken into account on the application layer.
Also, revoked certificate lists are missing.
Remote Command Injection
One last thing: dont_blame_nrpe=1
means that arbitrary command execution can be added after any local plugin call. That can be used to override existing plugin parameters (e.g. to snoop into guessing mounted disks or to trigger exploits). The Debian packages have disabled this on compile time, other systems are still vulnerable to this.
The Icinga agent denies additional arguments and requires the commands being defined. You can even provide local check commands which remove certain arguments from the parent caller, if required.
For further security insights, please refer to the CVEs available in this regard.
Conclusion
That being said, we care about security and are therefore implementing everything to make agents reliable and secure. Other agent transports than Icinga we are able to recommend, are listed in our documentation.
NRPE is not one of them, not even with v3 and the weak default settings. You might be able to secure it, if you are TLS/SSL expert, but with the little documentation provided, I fairly doubt that. Also, the missing CN validation in the application layer is not a good sign. Therefore we discourage its usage and are not supporting it.
In terms of NSClient++ & NRPE as a transport, we are working on our solution already, more can be seen at OSMC next week.
Cheers,
Michael