CVE-2019-9167: Security Disclosures - Nagios

Notice: Spring4Shell Vulnerability – Nagios does not use the Java Spring framework****Notice: Our response to CVE-2021-44228 and log4j in Nagios products****Reporting Security Vulnerabilities

At Nagios, we make security a priority. We strive to patch any security issues in a timely manner. We highly recommend using the latest versions available of our software. The latest versions will include security fixes that remediate the vulnerabilites shown below.

Please send security vulnerabilities found in any of the Nagios commercial products and security related emails to [email protected]. All non-security related bug reports should be given through a Support Ticket or through a post on the Support Forum.

Disclosed Vulnerabilites

Below is a listing of CVEs for patched security vulnurabilites that have been disclosed for Nagios products. Product version below does not mean that the security issue is only in that product version. Upgrade to the latest version to ensure all known vulnerabilities are patched. Scroll down to see all products.

Nagios XI 5.8

CVE

Vulnerability Summary

Remediation Summary

CVE-2022-29272

Certain crafted redirect URLs on the login page could be redirected to external URLs.

Upgrade to Nagios XI 5.8.9 or above

CVE-2022-29271

Read-only users are able to submit a specific command to the schedule downtime page that would schedule downtimes.

Upgrade to Nagios XI 5.8.9 or above

CVE-2022-29270

When changing a user’s email addresses, users are not required to confirm their password which could be used to reset a user’s password via email.

Upgrade to Nagios XI 5.8.9 or above

CVE-2022-29269

Users could send HTML via setting the scheduled reporting message to have HTML code in it.

Upgrade to Nagios XI 5.8.9 or above

CVE-2021-40345

Command injection security vulnerability in the cmdsubsys.php cron job for installation of dashlets, components, and config wizards.

Upgrade to Nagios XI 5.8.6 or above

CVE-2021-40343

Permission security issue with file permissions for the migration script “nagios_unbundler.py” which could allow arbitrary code execution.

Upgrade to Nagios XI 5.8.6 or above

CVE-2021-40344

Security issue with file validation in the admin custom includes component allowed php files to be uploaded and executed.

Upgrade to Nagios XI 5.8.6 or above or upgrade Custom Includes component to version 1.1.0 or above

CVE-2021-38156

XSS vulnerability in Manage My Dashboards edit dashboard title functionality.

Upgrade to Nagios XI 5.8.6 or above

CVE-2021-37223

SSRF in Scheduled Reports when the report url is from outside the Nagios XI system.

Upgrade to Nagios XI 5.8.6 or above

CVE-2021-33177

The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Exploitation requires the malicious actor to be authenticated to the vulnerable system, but once authenticated they would be able to execute arbitrary sql queries.

Upgrade to Nagios XI 5.8.5 or above

CVE-2021-33178

The Manage Backgrounds functionality within Nagvis versions prior to 2.0.8 is vulnerable to an authenticated path traversal vulnerability. Exploitation of this results in a malicious actor having the ability to arbitrarily delete files on the local system as the apache user.

Upgrade to Nagios XI 5.8.6 or above and ensure NagVis component is 2.0.9+

CVE-2021-33179

The general user interface in Nagios XI versions prior to 5.8.5 is vulnerable to authenticated reflected cross-site scripting. An authenticated victim, who accesses a specially crafted malicious URL, would unknowingly execute the attached payload.

Upgrade to Nagios XI 5.8.5 or above

CVE-2021-37344

Nagios XI Switch Wizard before version 2.5.7 is vulnerable to remote code execution through improper neutralisation of special elements used in an OS Command (OS Command injection).

Upgrade Switch config wizard from Admin > Manage Config Wizards to version 2.5.7 or above.

CVE-2021-37343

A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post authenticated RCE under security context of the user running Nagios.

Upgrade to Nagios XI 5.8.5 or above

CVE-2021-37345

Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because xi-sys.cfg is being imported from the var directory for some scripts with elevated permissions.

Upgrade to Nagios XI 5.8.5 or above

CVE-2021-37346

Nagios XI WatchGuard Wizard before version 1.4.8 is vulnerable to remote code execution through Improper neutralisation of special elements used in an OS Command (OS Command injection).

Upgrade WatchGuard config wizard from Admin > Manage Config Wizards to version 1.4.8 or above.

CVE-2021-37347

Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because getprofile.sh does not validate the directory name it receives as an argument.

Upgrade to Nagios XI 5.8.5 or above

CVE-2021-37348

Nagios XI before version 5.8.5 is vulnerable to local file inclusion through improper limitation of a pathname in index.php.

Upgrade to Nagios XI 5.8.5 or above

CVE-2021-37349

Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because cleaner.php does not sanitise input read from the database.

Upgrade to Nagios XI 5.8.5 or above

CVE-2021-37350

Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation.

Upgrade to Nagios XI 5.8.5 or above

CVE-2021-37351

Nagios XI before version 5.8.5 is vulnerable to insecure permissions and allows unauthenticated users to access guarded pages through a crafted HTTP request to the server.

Upgrade to Nagios XI 5.8.5 or above

CVE-2021-37352

An open redirect vulnerability exists in Nagios XI before version 5.8.5 that could lead to spoofing. To exploit the vulnerability, an attacker could send a link that has a specially crafted URL and convince the user to click the link.

Upgrade to Nagios XI 5.8.5 or above

CVE-2021-37353

Nagios XI Docker Wizard before version 1.1.3 is vulnerable to SSRF due to improper sanitation in table_population.php

Upgrade Docker config wizard from Admin > Manage Config Wizards to version 1.1.3 or above.

CVE-2021-36363
CVE-2021-36365

Local privilege escalation due to insecure permissions of the migrate.php and the repairmysql.sh files.

Upgrade to Nagios XI 5.8.5 or above

CVE-2021-36364
CVE-2021-36366

Local privilege escalation due to wildcard expansion in backup_xi.sh and manage_services.sh files.

Upgrade to Nagios XI 5.8.5 or above

Nagios XI 5.7

CVE

Vulnerability Summary

Remediation Summary

CVE-2021-25299

XSS vulnerability in the SSH Terminal page.

Upgrade to Nagios XI 5.8.0 or above

CVE-2021-25298

OS command injection as the apache user through variables passed into the Config Wizard.

Upgrade the Cloud-VM config wizard from Admin > Manage Config Wizards to version 1.0.4 or above.

CVE-2021-25297

OS command injection as the apache user through variables passed into the Config Wizard.

Upgrade the Switch config wizard from Admin > Manage Config Wizards to version 2.5.4 or above.

CVE-2021-25296

OS command injection as the apache user through variables passed into the Config Wizard.

Upgrade the Windows WMI config wizard from Admin > Manage Config Wizards to version 2.2.3 or above.

CVE-2021-3193

Unauthenticated remote code execution (RCE) vulnerability as the apache user in Nagios XI in the Docker config wizard.

Upgrade the Docker config wizard from Admin > Manage Config Wizards to version 1.1.2 or above.

CVE-2021-26023
CVE-2021-26024

XSS vulnerability and IDOR allowing users to add a favorite to other users security vulnerability in Favorites component.

Upgrade the Favorites component from Admin > Manage Components to version 1.0.2 or above.

CVE-2020-35578

Remote code execution (RCE) vulnerability in Nagios XI in Manage Plugins page when uploading plugin with option to convert line endings.

Upgrade to Nagios XI 5.8.0 or above.

CVE-2020-28910

Creation of a Temporary Directory with Insecure Permissions allows for Privilege Escalation via creation of symlinks, which are mishandled in getprofile.sh.

Upgrade to Nagios XI 5.8.4 or above for full changes.

CVE-2020-28648

Remote code execution (RCE) from improper input validation in the Auto-Discovery component allows an authenticated attacker to execute remote code.

Upgrade to Nagios XI 5.7.5 or above.

CVE-2020-5790

Cross-site request forgery (CSRF) vulnerabilities in Nagios XI for SNMP Trap Sender and Manage MIBs admin pages.

Upgrade to Nagios XI 5.7.4 or above.

CVE-2020-5791

An OS command injection vulnerability in the Admin Manage MIBs page. A remote, authenticated attacker with admin privileges may exploit this vulnerability to execute arbitrary OS commands with privileges of the ‘apache’ user.

Upgrade to Nagios XI 5.7.4 or above.

CVE-2020-5792

An OS command argument injection vulnerability in the Send Custom Trap command in the SNMP Trap Interface.

Upgrade to Nagios XI 5.7.4 or above.

CVE-2020-15903

Privilege escalation as user nagios to root in backend scripts that are run as root user due to permissions and included files.

Upgrade to Nagios XI 5.7.3 or above.

CVE-2020-15901

Remote code execution as authenticated user in ajaxhelper.php allows remote attackers to execute arbitrary commands via cmdsubsys.

Upgrade to Nagios XI 5.7.2 or above.

CVE-2020-15902

XSS vulnerability in Graph Explorer via the link url option.

Upgrade to Nagios XI 5.7.2 or above.

Nagios XI 5.6

CVE

Vulnerability Summary

Remediation Summary

X-Force 179406

Possible postauth SQL injection in the SNMP Trap Interface page. User must have administative privliges to access.

Upgrade to Nagios XI 5.6.14 or above.

X-Force 179405

Authenticated remote execution vulnerability in command_test.php script using the address paramater. User must have access to the CCM to access.

Upgrade to Nagios XI 5.6.14 or above.

X-Force 179404

Authenticated remote code execution vulnerabilitiy in export-rrd.php in start, end, or step parameter.

Upgrade to Nagios XI 5.6.14 or above.

CVE-2020-10821

XSS vulnerability as an authenticated user via the account/main.php theme parameter.

Upgrade to Nagios XI 5.6.13 or above.

CVE-2020-10819
CVE-2020-10820

XSS vulnerability as an authenticated administrator via the LDAP/AD component username and password parameters.

Upgrade to Nagios XI 5.6.13 or above.

CVE-2019-20197

Remote command execution as authenticated user. The user is able to execute arbitrary OS commands via shell metacharacters in the id parameter to schedulereport.php, in the context of the web-server user account.

Upgrade to Nagios XI 5.6.10 or above.

CVE-2019-20139

XSS vulnerability exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. An authenticated user can use this method of attack against any user.

Upgrade the Operations Center component from Admin > Manage Components to version 1.3.3 or above.

CVE-2019-15949

Remote command execution as root vulnerability in Nagios XI’s getprofile.sh script. The script runs when profiles are created via the profile component. User must have access to edit plugins or access to the nagios user on the server.

Upgrade to Nagios XI 5.6.6 or above.

Nagios XI 5.5

CVE

Vulnerability Summary

Remediation Summary

CVE-2019-9164

Command Injection vulnerability that allows specific command to remotely execute code when making a new autodiscovery job. Users must be authenticated and have access to autodiscovery to be able to execute a new job.

Upgrade to Nagios XI 5.5.11 or above.

CVE-2019-9165

SQL Injection vulnerability via the API when using fusekeys and malicious user id.

Upgrade to Nagios XI 5.5.11 or above.

CVE-2019-9166

Root Priviledge Escalation rearding permissions on config.inc.php and import_xiconfig.php allowing non-priviledged users to write to the files. This exploit requires access to the files on the server. Both files should be root owned with no write permissions.

Upgrade to Nagios XI 5.5.11 or above.

CVE-2019-9167

XSS vulnerability that can be passed in using the xiwindow parameter.

Upgrade to Nagios XI 5.5.11 or above.

CVE-2019-9202

Authorized remote code execution in Nagios IM component via API key issues.

Upgrade Nagios IM component to version 2.2.7 or above.

Alternatively, remove the nagiosim component if not in use.

CVE-2019-9203

Authorization bypass in Nagios IM component allowing closing incidents in IM via the API.

Upgrade Nagios IM component to version 2.2.7 or above.

Alternatively, remove the nagiosim component if not in use.

CVE-2019-9204

SQL Injection in Nagios IM component.

Upgrade Nagios IM component to version 2.2.7 or above.

Alternatively, remove the nagiosim component if not in use.

CVE-2018-20171
CVE-2018-20172

Unauthorized XSS vulnerabilities in the rss_dashlet. This is related to the scripts in being URL-accessible from the Magpie RSS scripts scripts directory.

Upgrade to Nagios XI 5.5.8 or above.

For immediate remediation remove the magpierss/scripts directory from rss_dashlet.

CVE-2018-15708

Unauthenticated Remote Code Execution via Command Argument Injection. A critical vulnerability exists in a custom version of Snoopy being used in MagpieRSS which allows a remote, unauthenticated attacker to inject arbitrary arguments into a “curl” command. This can be done by requesting magpie_debug.php with a crafted value specified in the HTTP GET ‘url’ parameter.

Upgrade to Nagios XI 5.5.7 or above.

For immediate remediation remove the rss_dashlet if you are not using it.

CVE-2018-15709

Authenticated Command Injection. The Nagios subsystem is vulnerable to command injection in many cases. An authenticated attacker may inject and execute arbitrary OS commands. Must be an authenticated user (can be non-admin).

Upgrade to Nagios XI 5.5.7 or above.

CVE-2018-15710

Local Privilege Escalation (to root) via Command Injection. An Auto Discovery script suffers from a local command injection vulnerability which can be exploited to gain
root OS privileges. Must be authenticated user with access to Auto Discovery component.

Upgrade to Nagios XI 5.5.7 or above.

CVE-2018-15711

Unauthorized API Key Regeneration. An low-privileged, authenticated user can force API key regeneration for any Nagios XI user (including admins). When the API key is regenerated, the new one is returned in the response body. Must be authenticated user.

Upgrade to Nagios XI 5.5.7 or above.

CVE-2018-15712

Unauthenticated Persistent Cross-site Scripting. A persistent cross-site scripting (XSS) vulnerability exists in the Nagios XI Business Process Intelligence (BPI) component’s api_tool.php.

Upgrade to Nagios XI 5.5.7 or above.

CVE-2018-15713

Authenticated Persistent Cross-site Scripting. A persistent cross-site scripting vulnerability was discovered in Nagios XI in admin/users.php. This vulnerability requires authentication to be exploited successfully.

Upgrade to Nagios XI 5.5.7 or above.

CVE-2018-15714

Reflected Cross-site Scripting. A reflected cross-site scripting vulnerability exists within /usr/local/nagiosxi/html/account/checkauth.php. This vulnerability requires authentication to be exploited successfully.

Upgrade to Nagios XI 5.5.7 or above.

CVE-2018-17147

A cross-site scripting (XSS) vulnerability exists in the auto login admin management page.

Upgrade to Nagios XI 5.5.5 or above.

Nagios XI 5.4

CVE

Vulnerability Summary

Remediation Summary

CVE-2018-10554

An Cross Site Scripting vulernability (XSS) was discovered in Nagios XI 5.4.13 in scheduling new reports, downtime.php, ajaxhelper.php and deploynotifications.

Upgrade to Nagios XI 5.5.0 or above.

CVE-2018-10553

The xiwindow parameter in Nagios XI can be used to load any web-accessible files into the iframe. These files can be accessed via apache normally, without the use of the xiwindow URL parameter.

Avoid keeping any files that should not be accessed (or are not PHP and session authenticated) out of the /usr/local/nagiosxi/html directory.

CVE-2018-8733

Authentication bypass vulnerability in NagiosQL in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability.

Upgrade to Nagios XI 5.4.13 or above.

For immidiate remediation, remove the /etc/httpd/conf.d/nagiosql.conf apache configuration file and restart apache.

CVE-2018-8734
CVE-2018-10735
CVE-2018-10736
CVE-2018-10737
CVE-2018-10738

SQL injection vulnerabilities in the legacy NagiosQL component in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via different pages and parameters.

Upgrade to Nagios XI 5.4.13 or above.

For immidiate remediation, remove the /etc/httpd/conf.d/nagiosql.conf apache configuration file and restart apache.

CVE-2018-8735

Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection. Attack requires an authenticated user with access to the CCM.

Upgrade to Nagios XI 5.4.13 or above.

CVE-2018-8736

A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root. Attack requires an authenticated user with access to the CCM.

Upgrade to Nagios XI 5.4.13 or above.

Nagios Fusion 4

CVE

Vulnerability Summary

Remediation Summary

CVE-2020-28903

XSS vulnerabilities in data that is displayed in dashboard and dashlets.

Update to Nagios Fusion 4.1.9 or above

CVE-2020-28905

Authenticated remote code execution (from the context of low-privileges user) in table pagination.

Update to Nagios Fusion 4.1.9 or above

CVE-2020-28902

Privilege escalation from apache to nagios via command injection on timezone parameter in cmd_subsys.php.

Update to Nagios Fusion 4.1.9 or above

CVE-2020-28901

Privilege escalation from apache to nagios via command injection on component_dir parameter in cmd_subsys.php.

Update to Nagios Fusion 4.1.9 or above

CVE-2020-28904

Privilege escalation from apache to nagios via installation of malicious component.

Update to Nagios Fusion 4.1.9 or above

CVE-2020-28900

Privilege escalation from nagios to root via upgrade_to_latest.sh.

Update to Nagios Fusion 4.1.9 or above

CVE-2020-28907

Privilege escalation from apache to root via upgrade_to_latest.sh and modification of proxy config.

Update to Nagios Fusion 4.1.9 or above

CVE-2020-28906

Privilege escalation from nagios to root via modification of fusion-sys.cfg.

Update to Nagios Fusion 4.1.9 or above

CVE-2020-28909

Privilege escalation from nagios to root via modification of scripts that can execute as sudo.

Update to Nagios Fusion 4.1.9 or above

CVE-2020-28908

Privilege escalation from apache to nagios via command injection in cmd_subsys.php.

Update to Nagios Fusion 4.1.9 or above

CVE-2020-28911

Lower priviledged user can authenticate to fused server when credentials are stored.

Update to Nagios Fusion 4.1.9 or above

Nagios Network Analyzer 2

CVE

Vulnerability Summary

Remediation Summary

CVE-2021-28925

A SQL injection in the API Sources endpoint.

Update to Nagios Network Analyzer 2.4.3 and above

CVE-2021-28924

A XSS vulnerability has been discovered the Queries page.

Update to Nagios Network Analyzer 2.4.3 and above

Nagios Log Server 2

CVE

Vulnerability Summary

Remediation Summary

CVE-2019-15898

A reflected (XSS) vulnerability has been discovered in Nagios Log Server via the username on the Login page.

Update to Nagios Log Server 2.0.8 and above

CVE-2020-16157

A reflected (XSS) vulnerability has been discovered in Nagios Log Server via the Notification Methods on the Alerts page.

Update to Nagios Log Server 2.1.7 and above

Nagios Core 4

CVE

Vulnerability Summary

Remediation Summary

CVE-2018-18245

A cross-site scripting (XSS) vulnerability has been discovered in Nagios Core. This vulnerability allows attackers to place malicious JavaScript code into the web frontend through manipulation of plugin output.
In order to do this the attacker needs to be able to manipulate the output returned by nagios checks, e.g. by replacing a plugin on one of the monitored endpoints. Execution of the payload then requires that an authenticated user creates an alert summary report which contains the corresponding output.

Update to Nagios Core 4.4.3 or Nagios XI 5.5.9 and above
(You can also patch this with Core maint branch)