CVE-2019-13131
📋 TL;DR
CVE-2019-13131 is a critical remote code execution vulnerability in Super Micro SuperDoctor 5 monitoring software. Attackers can execute arbitrary commands via the Nagios Remote Plugin Executor (NRPE) interface when agent.cfg restrictions aren't properly configured. This affects organizations using SuperDoctor 5 for server monitoring without proper security controls.
💻 Affected Systems
- Super Micro SuperDoctor 5
📦 What is this software?
Superdoctor 5 by Supermicro
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands with high privileges, potentially leading to data theft, ransomware deployment, or lateral movement across the network.
Likely Case
Remote attackers gain command execution on monitoring servers, enabling them to install backdoors, exfiltrate data, or pivot to other systems in the environment.
If Mitigated
With proper network segmentation and NRPE restrictions, impact is limited to the monitoring system itself with no lateral movement capability.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB (47030). Attack requires network access to NRPE port (default 5666) and knowledge of target system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Super Micro security advisory for specific patched versions
Vendor Advisory: https://www.supermicro.com/support/security_Bulletins.cfm
Restart Required: Yes
Instructions:
1. Check Super Micro security bulletins for patch details. 2. Download and apply the latest SuperDoctor 5 update. 3. Restart SuperDoctor 5 services. 4. Verify NRPE restrictions are properly configured in agent.cfg.
🔧 Temporary Workarounds
Implement NRPE Restrictions
linuxConfigure agent.cfg to restrict NRPE command execution to authorized hosts and commands only
Edit /opt/Supermicro/SuperDoctor5/agent.cfg
Add 'allowed_hosts=trusted_ip_addresses'
Add 'command[check_command]=/path/to/command' with strict permissions
Network Segmentation
linuxRestrict access to NRPE port (default 5666) using firewall rules
iptables -A INPUT -p tcp --dport 5666 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 5666 -j DROP
🧯 If You Can't Patch
- Implement strict firewall rules to allow NRPE access only from trusted monitoring servers
- Disable SuperDoctor 5 NRPE service if not absolutely required for monitoring operations
🔍 How to Verify
Check if Vulnerable:
Check if NRPE service is running on port 5666 and test if arbitrary commands can be executed using check_nrpe tool: 'check_nrpe -H target_ip -c check_command'Check Version:
/opt/Supermicro/SuperDoctor5/sd5 -v or check SuperDoctor 5 interface for version informationVerify Fix Applied:
Test NRPE command execution attempts from unauthorized hosts should be blocked. Verify agent.cfg has proper allowed_hosts restrictions.📡 Detection & Monitoring
Log Indicators:
- Unusual NRPE connection attempts from unauthorized IPs
- Failed authentication attempts to NRPE service
- Execution of unexpected commands via NRPE
Network Indicators:
- Unusual traffic to port 5666 from non-monitoring systems
- NRPE protocol anomalies or malformed requests
SIEM Query:
source_port=5666 AND (src_ip NOT IN [monitoring_servers] OR command NOT IN [allowed_commands])