Nagios XI Vulnerabilities: A Serious Risk to Organizations

Researchers at Outpost24 Ghost Labs Vulnerability Research have discovered four vulnerabilities in widely used network management products from Nagios XI. The flaws could pose a serious risk to organizations as these types of products can be a tempting target for malicious actors.

Nagios XI, a commercial avatar of the open-source Nagios Core platform, is an IT and network monitoring maestro. Thanks to its enhanced features, it’s an indispensable tool for organizations looking to manage their labyrinthine IT infrastructures.

Now, due to its inherent functions, Nagios XI often enjoys elevated privileges in many environments, making it an alluring target for cyber adversaries.

Image: Nagios

The four different vulnerabilities in Nagios XI (version 5.11.1 and lower) discovered by researchers at Outpost24 Ghost Labs Vulnerability Research are as follows:

• SQL Injection in Banner acknowledging endpoint (CVE-2023-40931)
  

Nagios XI’s “Announcement Banners” might appear benign on the surface. However, their underlying architecture harbors a critical flaw. This endpoint is susceptible to SQL Injection attacks. By manipulating the ‘id’ parameter in the POST request, a low-privilege authenticated user can gain access to a treasure trove of sensitive data, including usernames, hashed passwords, emails, API tokens, and backend tickets. The gravity of this flaw is further accentuated as it doesn’t necessitate a valid announcement banner ID for exploitation.

• SQL Injection in Host/Service Escalation in CCM (CVE-2023-40934)

The Core Configuration Manager, another integral component of Nagios XI, allows authenticated users to perform arbitrary database queries. But here’s the twist: the parameters tfFirstNotif, tfLastNotif, and tfNotifInterval are deemed trustworthy without adequate verification. Consequently, this opens the door to unauthorized database access.

• SQL Injection in Announcement Banner Settings (CVE-2023-40933)

Another announcement banner feature, another SQL Injection vulnerability. When updating banner settings, the system assumes the id parameter as trustworthy, leading to potential query manipulation by attackers. Much like the other vulnerabilities, successful exploitation can yield unrestricted database access.

• Cross-Site Scripting in Custom Logo Component (CVE-2023-40932)

Customizability is a significant selling point for many platforms, including Nagios XI, which allows users to inject a touch of personal branding via custom company logos. However, this seemingly innocuous feature has an underlying cross-site scripting vulnerability. Cybercriminals can exploit this flaw to insert malicious JavaScript code, enabling them to steal plain-text credentials or even modify page data.

All four of these vulnerabilities could allow an attacker to gain unauthorized access to sensitive data, steal credentials, or even execute arbitrary code on the affected system.

Nagios has released security patches to address all four vulnerabilities. Organizations should upgrade to the latest version of Nagios XI as soon as possible.