CVE-2020-6581: 
Linux Debian vulnerability analysis and mitigation

Nagios NRPE (Nagios Remote Plugin Executor) version 3.2.1 contains a vulnerability identified as CVE-2020-6581, discovered in January 2020. The vulnerability stems from insufficient filtering in the configuration file parsing, where the nasty_metachars function incorrectly interprets special characters like \n as separate characters \ and n, rather than as a newline sequence (USD Advisory).

The vulnerability exists in the parsing of the nasty_metachars configuration option, which is designed to blacklist dangerous characters. When special characters like \n are included in the configuration, they are interpreted literally instead of as control characters. This incorrect interpretation can lead to command injection when NRPE is compiled with command line parameter support and the dont_blame_nrpe option is enabled. The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H (NVD).

If exploited, this vulnerability could allow an attacker to perform command injection attacks against the NRPE service. This could lead to unauthorized command execution with the privileges of the NRPE service user, potentially compromising the security of the monitored system (USD Advisory).

The vulnerability has been fixed in Nagios NRPE version 4.0.0 and later releases. Users are advised to upgrade to the latest version. For Fedora users, a security update (nrpe-4.0.2-2.fc32) has been released to address this vulnerability (Fedora Update).