CVE-2020-6582: 
Linux Debian vulnerability analysis and mitigation

Nagios NRPE 3.2.1 contains a Heap-Based Buffer Overflow vulnerability (CVE-2020-6582), discovered in January 2020. The vulnerability occurs due to the interpretation of a small negative number as a large positive number during a bzero call (USD Advisory).

The vulnerability exists in the NRPE v3 packet format processing where buffer_length is defined as int32_t (signed integer). When processing packets, the daemon can receive a negative buffer length which gets converted to an unsigned integer during bzero call, resulting in a large positive number. This causes a heap overflow when attempting to zero out unmapped virtual memory segments. The vulnerability has a CVSS v3.1 Base Score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (NVD).

When exploited, this vulnerability causes a heap overflow that attempts to zero out unmapped virtual memory segments, resulting in a crash of the current thread. The vulnerability affects the availability of the system but does not impact confidentiality or integrity (USD Advisory).

The vulnerability has been fixed in Nagios NRPE version 4.0.0. The fix involves changing the buffer_length to be transmitted as an unsigned integer and implementing checks to prevent integer overflow attacks. Users should upgrade to version 4.0.0 or later (USD Advisory, Fedora Update).