Tenable researches have found 3 Vulnerabilities in Nagios XI 5.7.3 and have released a full synopsis of the vulnerabilities, as well as POC on their website.
Researches found that Nagiox XI 5.7.3 was vulnerable to the following 3 exploits:
- CVE-2020-5790 Cross-site Request Forgery
- CVE-2020-5791 Authenticated OS Command Injection RCE in /nagiosxi/admin/mibs.php
- CVE-2020-5792: Authenticated OS Command Argument Injection Vulnerability Leading to Arbitrary File Write / RCE in /nagiosxi/includes/components/nxti/index.php
All 3 of these were reported to Nagios on 9/29/2020 and its recommended you upgrade to Nagios XI 5.7.4 or newer immediately!
Synopsis of the 3 Nagios Vulnerabilities
The full synopsis of these 3 vulnerabilities and exploits can be found on the Tenable website, but we’ll quickly cover them below as well to give you an understanding of the severity of these findings.
CVE-2020-5790 Cross-site Request Forgery
There are several Cross-site Request Forgery (CSRF) issues within Nagios, even though there are protections built into the software via the Nagios Session Protector, the application lacks these protections within the following components:
These CSRF exploits can be Remotely exploited by an unauthenticated threat party that will allow them to execute application actions that are sensitive and only meat to be executed by an Authenticated user. This is usually carried out by phishing with a malicious link to trick actual Nagios users to click on the malicious link.
CVE-2020-5791: Authenticated OS Command Injection RCE in /nagiosxi/admin/mibs.php
The file located at admin/mibs.php contains an OS Command injection vulnerability that would allow a remote and unauthenticated user to attack the system as an admin user and execute OS commands under the “apache” user.
More specifically, when the mode parameter is set to “ under-processing” and the type parameter equals “ 1″ , the file parameter will be passed to the PHP exec() function completely un-sanitized!
POC can be seen on the research report here if you scroll down the CVE-2020-5791 section: https://www.tenable.com/security/research/tra-2020-58
CVE-2020-5792: Authenticated OS Command Argument Injection Vulnerability Leading to Arbitrary File Write / RCE in /nagiosxi/includes/components/nxti/index.php
The 3rd and final vulnerability researchers found in Nagios XI an OS command argument injection within the send_custom_trap() function in /nagiosxi/html/includes/components/nxti/index.php.
$cmd variable is constructed using values from the HTTP parameters and prior to the command being passed to exec() , the command is escaped using the PHP function escapeshellcmd().
This allows any attacker to inject arbitrary arguments into the command which can be executed by an Authenticated attacker with admin rights to execute malicious code with apache user privileges.
What makes this vulnerability worse is that this can be combined with CSRF and if an admin clicks on a malicious phishing email, code execution can be by an unauthenticated malicious user!
Full details of these Multiple Nagios XI vulnerabilities and how to Exploit via POC can be found at the links below: