The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

CyRC Vulnerability Advisory: SQL injection, path traversal leading to arbitrary file deletion and XSS in Nagios XI

Scott Tolley

Oct 12, 2021 / 2 min read

Overview

Black Duck Cybersecurity Research Center (CyRC) research has exposed three separate vulnerabilities in Nagios XI. Nagios XI is a widely used application, service, and network monitoring application that has privileged access to network and server configuration and reporting.

The issues are

  • CVE-2021-33177: Postauthentication SQL injection in the bulk modifications tool
  • CVE-2021-33178: Postauthentication path traversal vulnerability in the NagVis reporting module
  • CVE-2021-33179: Reflected cross-site scripting (XSS) on the core config manager

Affected software

CVE-2021-33177
Nagios XI versions prior to 5.8.5.

CVE-2021-33178
Nagios XI versions prior to 5.8.6 via the NagVis plugin. The vulnerability is not in the Nagios XI code itself, but this plugin is installed by default. The vulnerability is present in the NagVis plugin in versions prior to 2.0.9, and this component can be upgraded independently to version 2.0.9 or later or uninstalled if it is not required.

CVE-2021-33179
Nagios XI versions prior to 5.8.4.

Impact

CVE-2021-33177
An authenticated user with access to the bulk modifications tool, such as admin, can inject arbitrary SQL into an UPDATE statement. In the default configuration, this allows execution of arbitrary PostgreSQL functions.

CVSS 3.1 base score: 5.2 (medium)
CVSS 3.1 vector:  CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C

CVE-2021-33178
An authenticated user with access to the NagVis ManageBackgrounds endpoint, such as admin, can delete arbitrary files on the server limited by the rights of the Apache server effective user.

CVSS 3.1 base score: 4.5 (medium)
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C

CVE-2021-33179
When clicked on by the user, a malicious URL could execute arbitrary JavaScript code in the victim’s browser with all Nagios XI local session data available to it.

CVSS 3.1 base score: 4.3 (medium)
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

Remediation

CVE-2021-33177
Upgrade to Nagios XI 5.8.5 or later.  See release notes: https://www.nagios.com/downloads/nagios-xi/change-log

CVE-2021-33178
If NagVis is installed as Nagios plugin:
Upgrade the NagVis plugin to version 2.0.9 or later. This version of the NagVis plugin is bundled with Nagios XI version 5.8.6 or later. See release notes: https://www.nagios.com/downloads/nagios-xi/change-log

If NagVis was acquired directly from the NagVis project:
Upgrade NagVis to version 1.9.29 or later. See release notes: http://nagvis.org/downloads/changelog/1.9.29

CVE-2021-33179
Upgrade to Nagios XI version 5.8.4 or later. See release notes: https://www.nagios.com/downloads/nagios-xi/change-log

Discovery credit

Scott Tolley, a researcher from the Black Duck Cybersecurity Research Center, discovered these vulnerabilities using the Seeker® interactive application security testing (IAST) tool.
Black Duck would like to commend Nagios team for their responsiveness and for addressing these vulnerabilities in a timely manner.

Timeline

CVE-2021-33177

  • May 12, 2021: Initial disclosure
  • June 4, 2021: Nagios security team validates and confirms the vulnerability
  • July 15, 2021: Nagios XI version 5.8.5 released with a fix for CVE-2021-33177
  • October 13, 2021: Advisory published by Black Duck

CVE-2021-33178

  • May 12, 2021: Initial disclosure
  • June 4, 2021: Nagios Security team validates and confirms the vulnerability
  • September 2, 2021: NagVis plugin version 2.0.9 released with a fix for CVE-2021-33178
  • October 13, 2021: Advisory published by Black Duck

CVE-2021-33179

  • May 12, 2021: Initial disclosure
  • June 4, 2021: Nagios security team validates and confirms the vulnerability
  • June 10, 2021: The vulnerability was fixed in Nagios XI version 5.8.4 released with a fix for CVE-2021-33179
  • October 13, 2021: Advisory published by Black Duck

Continue Reading