CVE-2018-13457
Description
Nagios Core 4.4.1 and earlier is vulnerable to a local denial of service via a NULL pointer dereference in qh_echo, triggered by a crafted payload sent to the UNIX socket.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Nagios Core 4.4.1 and earlier is vulnerable to a local denial of service via a NULL pointer dereference in qh_echo, triggered by a crafted payload sent to the UNIX socket.
Vulnerability
A NULL pointer dereference vulnerability exists in the qh_echo function within Nagios Core version 4.4.1 and earlier [1]. The bug is located in query-handler.c at line 29 where strcmp is called on a pointer that can be NULL when a specially crafted message is sent to the Nagios query handler UNIX socket. No special configuration is required; the default listening socket is sufficient to trigger the issue [1].
Exploitation
An attacker with local access to the Nagios Core host can send a crafted payload to the UNIX socket (e.g., /usr/local/nagios/var/rw/nagios.qh) using tools like socat [1]. The proof-of-concept commands shown are echo -ne "#echo\0" | socat unix-connect:./poc/nagios.qh - and echo -ne "@echo\0" | socat unix-connect:./poc/nagios.qh - [1]. No authentication is required as the socket is accessible to local users [1].
Impact
Successful exploitation causes a NULL pointer dereference, leading to a crash of the Nagios Core process, resulting in a local denial-of-service condition [1]. The attacker gains no code execution or data access; the impact is limited to availability [1].
Mitigation
The vulnerability is present in Nagios Core 4.4.1 and earlier [1]. As of the publication date, no patch has been released in the available references [1]. Users should monitor the vendor for updates and restrict local access to the UNIX socket as a workaround [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <=4.4.1
- osv-coords2 versionspkg:rpm/opensuse/nagios&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/nagios&distro=SUSE%20Package%20Hub%2015%20SP1
< 4.4.5-lp151.5.4.1+ 1 more
- (no CPE)range: < 4.4.5-lp151.5.4.1
- (no CPE)range: < 4.4.5-bp151.4.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing NULL-pointer check in `qh_echo` before calling `strcmp` on user-supplied input."
Attack vector
An attacker with local access to the Nagios UNIX socket sends a crafted payload — either `#echo\0` or `@echo\0` — to the listening socket [ref_id=1]. The `qh_echo` function receives this input and passes it to `strcmp`, which dereferences a NULL pointer when the payload lacks the expected structure, causing a segmentation fault and a denial-of-service condition [ref_id=1]. The attack requires no authentication beyond the ability to connect to the Nagios query handler UNIX socket.
Affected code
The vulnerability resides in the `qh_echo` function in `base/query-handler.c` at line 29, which is called from `qh_input` at line 227 of the same file. The call chain proceeds through `iobroker_poll` in `lib/iobroker.c` and `event_execution_loop` in `base/events.c` [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory does not specify a fix, but the remediation would require adding a NULL-pointer check in `qh_echo` before the `strcmp` call at line 29 of `base/query-handler.c`, ensuring the function safely handles malformed input without dereferencing a NULL pointer [ref_id=1].
Preconditions
- networkAttacker must have local access to the Nagios UNIX socket (typically a file in the filesystem)
- authNo authentication required beyond the ability to connect to the socket
Reproduction
1. Identify the Nagios UNIX socket path (e.g., `./poc/nagios.qh`). 2. Run one of the following commands: `echo -ne "#echo\0" | socat unix-connect:./poc/nagios.qh -` `echo -ne "@echo\0" | socat unix-connect:./poc/nagios.qh -` 3. The Nagios process crashes with a NULL pointer dereference in `qh_echo` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- www.exploit-db.com/exploits/45082/mitreexploitx_refsource_EXPLOIT-DB
- lists.opensuse.org/opensuse-security-announce/2020-04/msg00014.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-04/msg00022.htmlmitrevendor-advisoryx_refsource_SUSE
- gist.github.com/fakhrizulkifli/87cf1c1ad403b4d40a86d90c9c9bf7abmitrex_refsource_MISC
- knowledge.opsview.com/v5.3/docs/whats-newmitrex_refsource_CONFIRM
- knowledge.opsview.com/v5.4/docs/whats-newmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.