Notice: Spring4Shell Vulnerability – Nagios does not use the Java Spring framework
Notice: Our response to CVE-2021-44228 and log4j in Nagios products
Reporting Security Vulnerabilities
At Nagios, we make security a priority. We strive to patch any security issues in a timely manner. We highly recommend using the latest versions available of our software. The latest versions will include security fixes that remediate the vulnerabilites shown below.
Please send security vulnerabilities found in any of the Nagios commercial products and security related emails to security@nagios.com. All non-security related bug reports should be given through a Support Ticket or through a post on the Support Forum.
Disclosed Vulnerabilites
Below is a listing of CVEs for patched security vulnurabilites that have been disclosed for Nagios products. Product version below does not mean that the security issue is only in that product version. Upgrade to the latest version to ensure all known vulnerabilities are patched. Scroll down to see all products.
Nagios NCPA 2
| CVE | Vulnerability Summary | Remediation Summary |
|---|---|---|
| CVE-2023-24037 | The administrator login uses an insecure timing comparison. An attacker can brute-force the API token by measuring timing differences in this comparison. | Upgrade to NCPA 2.4.1 or above. |
Nagios XI 5.9
| CVE | Vulnerability Summary | Remediation Summary |
|---|---|---|
| CVE-2023-24036 | The session ID for API Authentication is generated using uniqid, which is based on the current time. An attacker can brute-force a valid session ID by guessing when a previous user authenticated against the API. | Upgrade to Nagios XI 5.9.3 or above |
| CVE-2023-24035 | The “Insecure Backend Ticket” Authentication (which is disabled by default) uses an insecure timing comparison. An attacker can brute-force the admin passive by measuring timing difference in the comparison. | Upgrade to Nagios XI 5.9.3 or above |
| CVE-2023-24034 | An issue was discovered in twilio_ajax_handler.php in Nagios XI 5.9.2. An attacker can force a user to visit a malicious site by using an open redirect vulnerability. | Upgrade to Nagios XI 5.9.3 or above |
Nagios XI 5.8
| CVE | Vulnerability Summary | Remediation Summary |
|---|---|---|
| CVE-2022-29272 | Certain crafted redirect URLs on the login page could be redirected to external URLs. | Upgrade to Nagios XI 5.8.9 or above |
| CVE-2022-29271 | Read-only users are able to submit a specific command to the schedule downtime page that would schedule downtimes. | Upgrade to Nagios XI 5.8.9 or above |
| CVE-2022-29270 | When changing a user’s email addresses, users are not required to confirm their password which could be used to reset a user’s password via email. | Upgrade to Nagios XI 5.8.9 or above |
| CVE-2022-29269 | Users could send HTML via setting the scheduled reporting message to have HTML code in it. | Upgrade to Nagios XI 5.8.9 or above |
| CVE-2021-40345 | Command injection security vulnerability in the cmdsubsys.php cron job for installation of dashlets, components, and config wizards. | Upgrade to Nagios XI 5.8.6 or above |
| CVE-2021-40343 | Permission security issue with file permissions for the migration script “nagios_unbundler.py” which could allow arbitrary code execution. | Upgrade to Nagios XI 5.8.6 or above |
| CVE-2021-40344 | Security issue with file validation in the admin custom includes component allowed php files to be uploaded and executed. | Upgrade to Nagios XI 5.8.6 or above or upgrade Custom Includes component to version 1.1.0 or above |
| CVE-2021-38156 | XSS vulnerability in Manage My Dashboards edit dashboard title functionality. | Upgrade to Nagios XI 5.8.6 or above |
| CVE-2021-37223 | SSRF in Scheduled Reports when the report url is from outside the Nagios XI system. | Upgrade to Nagios XI 5.8.6 or above |
| CVE-2021-33177 | The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Exploitation requires the malicious actor to be authenticated to the vulnerable system, but once authenticated they would be able to execute arbitrary sql queries. | Upgrade to Nagios XI 5.8.5 or above |
| CVE-2021-33178 | The Manage Backgrounds functionality within Nagvis versions prior to 2.0.8 is vulnerable to an authenticated path traversal vulnerability. Exploitation of this results in a malicious actor having the ability to arbitrarily delete files on the local system as the apache user. | Upgrade to Nagios XI 5.8.6 or above and ensure NagVis component is 2.0.9+ |
| CVE-2021-33179 | The general user interface in Nagios XI versions prior to 5.8.5 is vulnerable to authenticated reflected cross-site scripting. An authenticated victim, who accesses a specially crafted malicious URL, would unknowingly execute the attached payload. | Upgrade to Nagios XI 5.8.5 or above |
| CVE-2021-37344 | Nagios XI Switch Wizard before version 2.5.7 is vulnerable to remote code execution through improper neutralisation of special elements used in an OS Command (OS Command injection). | Upgrade Switch config wizard from Admin > Manage Config Wizards to version 2.5.7 or above. |
| CVE-2021-37343 | A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post authenticated RCE under security context of the user running Nagios. | Upgrade to Nagios XI 5.8.5 or above |
| CVE-2021-37345 | Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because xi-sys.cfg is being imported from the var directory for some scripts with elevated permissions. | Upgrade to Nagios XI 5.8.5 or above |
| CVE-2021-37346 | Nagios XI WatchGuard Wizard before version 1.4.8 is vulnerable to remote code execution through Improper neutralisation of special elements used in an OS Command (OS Command injection). | Upgrade WatchGuard config wizard from Admin > Manage Config Wizards to version 1.4.8 or above. |
| CVE-2021-37347 | Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because getprofile.sh does not validate the directory name it receives as an argument. | Upgrade to Nagios XI 5.8.5 or above |
| CVE-2021-37348 | Nagios XI before version 5.8.5 is vulnerable to local file inclusion through improper limitation of a pathname in index.php. | Upgrade to Nagios XI 5.8.5 or above |
| CVE-2021-37349 | Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because cleaner.php does not sanitise input read from the database. | Upgrade to Nagios XI 5.8.5 or above |
| CVE-2021-37350 | Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation. | Upgrade to Nagios XI 5.8.5 or above |
| CVE-2021-37351 | Nagios XI before version 5.8.5 is vulnerable to insecure permissions and allows unauthenticated users to access guarded pages through a crafted HTTP request to the server. | Upgrade to Nagios XI 5.8.5 or above |
| CVE-2021-37352 | An open redirect vulnerability exists in Nagios XI before version 5.8.5 that could lead to spoofing. To exploit the vulnerability, an attacker could send a link that has a specially crafted URL and convince the user to click the link. | Upgrade to Nagios XI 5.8.5 or above |
| CVE-2021-37353 | Nagios XI Docker Wizard before version 1.1.3 is vulnerable to SSRF due to improper sanitation in table_population.php | Upgrade Docker config wizard from Admin > Manage Config Wizards to version 1.1.3 or above. |
| CVE-2021-36363 CVE-2021-36365 |
Local privilege escalation due to insecure permissions of the migrate.php and the repairmysql.sh files. | Upgrade to Nagios XI 5.8.5 or above |
| CVE-2021-36364 CVE-2021-36366 |
Local privilege escalation due to wildcard expansion in backup_xi.sh and manage_services.sh files. | Upgrade to Nagios XI 5.8.5 or above |
Nagios XI 5.7
| CVE | Vulnerability Summary | Remediation Summary |
|---|---|---|
| CVE-2021-25299 | XSS vulnerability in the SSH Terminal page. | Upgrade to Nagios XI 5.8.0 or above |
| CVE-2021-25298 | OS command injection as the apache user through variables passed into the Config Wizard. | Upgrade the Cloud-VM config wizard from Admin > Manage Config Wizards to version 1.0.4 or above. |
| CVE-2021-25297 | OS command injection as the apache user through variables passed into the Config Wizard. | Upgrade the Switch config wizard from Admin > Manage Config Wizards to version 2.5.4 or above. |
| CVE-2021-25296 | OS command injection as the apache user through variables passed into the Config Wizard. | Upgrade the Windows WMI config wizard from Admin > Manage Config Wizards to version 2.2.3 or above. |
| CVE-2021-3193 | Unauthenticated remote code execution (RCE) vulnerability as the apache user in Nagios XI in the Docker config wizard. | Upgrade the Docker config wizard from Admin > Manage Config Wizards to version 1.1.2 or above. |
| CVE-2021-26023 CVE-2021-26024 |
XSS vulnerability and IDOR allowing users to add a favorite to other users security vulnerability in Favorites component. | Upgrade the Favorites component from Admin > Manage Components to version 1.0.2 or above. |
| CVE-2020-35578 | Remote code execution (RCE) vulnerability in Nagios XI in Manage Plugins page when uploading plugin with option to convert line endings. | Upgrade to Nagios XI 5.8.0 or above. |
| CVE-2020-28910 | Creation of a Temporary Directory with Insecure Permissions allows for Privilege Escalation via creation of symlinks, which are mishandled in getprofile.sh. | Upgrade to Nagios XI 5.8.4 or above for full changes. |
| CVE-2020-28648 | Remote code execution (RCE) from improper input validation in the Auto-Discovery component allows an authenticated attacker to execute remote code. | Upgrade to Nagios XI 5.7.5 or above. |
| CVE-2020-5790 | Cross-site request forgery (CSRF) vulnerabilities in Nagios XI for SNMP Trap Sender and Manage MIBs admin pages. | Upgrade to Nagios XI 5.7.4 or above. |
| CVE-2020-5791 | An OS command injection vulnerability in the Admin Manage MIBs page. A remote, authenticated attacker with admin privileges may exploit this vulnerability to execute arbitrary OS commands with privileges of the ‘apache’ user. | Upgrade to Nagios XI 5.7.4 or above. |
| CVE-2020-5792 | An OS command argument injection vulnerability in the Send Custom Trap command in the SNMP Trap Interface. | Upgrade to Nagios XI 5.7.4 or above. |
| CVE-2020-15903 | Privilege escalation as user nagios to root in backend scripts that are run as root user due to permissions and included files. | Upgrade to Nagios XI 5.7.3 or above. |
| CVE-2020-15901 | Remote code execution as authenticated user in ajaxhelper.php allows remote attackers to execute arbitrary commands via cmdsubsys. | Upgrade to Nagios XI 5.7.2 or above. |
| CVE-2020-15902 | XSS vulnerability in Graph Explorer via the link url option. | Upgrade to Nagios XI 5.7.2 or above. |
Nagios XI 5.6
| CVE | Vulnerability Summary | Remediation Summary |
|---|---|---|
| X-Force 179406 | Possible postauth SQL injection in the SNMP Trap Interface page. User must have administative privliges to access. | Upgrade to Nagios XI 5.6.14 or above. |
| X-Force 179405 | Authenticated remote execution vulnerability in command_test.php script using the address paramater. User must have access to the CCM to access. | Upgrade to Nagios XI 5.6.14 or above. |
| X-Force 179404 | Authenticated remote code execution vulnerabilitiy in export-rrd.php in start, end, or step parameter. | Upgrade to Nagios XI 5.6.14 or above. |
| CVE-2020-10821 | XSS vulnerability as an authenticated user via the account/main.php theme parameter. | Upgrade to Nagios XI 5.6.13 or above. |
| CVE-2020-10819 CVE-2020-10820 |
XSS vulnerability as an authenticated administrator via the LDAP/AD component username and password parameters. | Upgrade to Nagios XI 5.6.13 or above. |
| CVE-2019-20197 | Remote command execution as authenticated user. The user is able to execute arbitrary OS commands via shell metacharacters in the id parameter to schedulereport.php, in the context of the web-server user account. | Upgrade to Nagios XI 5.6.10 or above. |
| CVE-2019-20139 | XSS vulnerability exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. An authenticated user can use this method of attack against any user. | Upgrade the Operations Center component from Admin > Manage Components to version 1.3.3 or above. |
| CVE-2019-15949 | Remote command execution as root vulnerability in Nagios XI’s getprofile.sh script. The script runs when profiles are created via the profile component. User must have access to edit plugins or access to the nagios user on the server. | Upgrade to Nagios XI 5.6.6 or above. |
Nagios XI 5.5
| CVE | Vulnerability Summary | Remediation Summary |
|---|---|---|
| CVE-2019-9164 | Command Injection vulnerability that allows specific command to remotely execute code when making a new autodiscovery job. Users must be authenticated and have access to autodiscovery to be able to execute a new job. | Upgrade to Nagios XI 5.5.11 or above. |
| CVE-2019-9165 | SQL Injection vulnerability via the API when using fusekeys and malicious user id. | Upgrade to Nagios XI 5.5.11 or above. |
| CVE-2019-9166 | Root Priviledge Escalation rearding permissions on config.inc.php and import_xiconfig.php allowing non-priviledged users to write to the files. This exploit requires access to the files on the server. Both files should be root owned with no write permissions. | Upgrade to Nagios XI 5.5.11 or above. |
| CVE-2019-9167 | XSS vulnerability that can be passed in using the xiwindow parameter. | Upgrade to Nagios XI 5.5.11 or above. |
| CVE-2019-9202 | Authorized remote code execution in Nagios IM component via API key issues. | Upgrade Nagios IM component to version 2.2.7 or above.
Alternatively, remove the nagiosim component if not in use. |
| CVE-2019-9203 | Authorization bypass in Nagios IM component allowing closing incidents in IM via the API. | Upgrade Nagios IM component to version 2.2.7 or above.
Alternatively, remove the nagiosim component if not in use. |
| CVE-2019-9204 | SQL Injection in Nagios IM component. | Upgrade Nagios IM component to version 2.2.7 or above.
Alternatively, remove the nagiosim component if not in use. |
| CVE-2018-20171 CVE-2018-20172 |
Unauthorized XSS vulnerabilities in the rss_dashlet. This is related to the scripts in being URL-accessible from the Magpie RSS scripts scripts directory. | Upgrade to Nagios XI 5.5.8 or above.
For immediate remediation remove the magpierss/scripts directory from rss_dashlet. |
| CVE-2018-15708 | Unauthenticated Remote Code Execution via Command Argument Injection. A critical vulnerability exists in a custom version of Snoopy being used in MagpieRSS which allows a remote, unauthenticated attacker to inject arbitrary arguments into a “curl” command. This can be done by requesting magpie_debug.php with a crafted value specified in the HTTP GET ‘url’ parameter. | Upgrade to Nagios XI 5.5.7 or above.
For immediate remediation remove the rss_dashlet if you are not using it. |
| CVE-2018-15709 | Authenticated Command Injection. The Nagios subsystem is vulnerable to command injection in many cases. An authenticated attacker may inject and execute arbitrary OS commands. Must be an authenticated user (can be non-admin). | Upgrade to Nagios XI 5.5.7 or above. |
| CVE-2018-15710 | Local Privilege Escalation (to root) via Command Injection. An Auto Discovery script suffers from a local command injection vulnerability which can be exploited to gain root OS privileges. Must be authenticated user with access to Auto Discovery component. |
Upgrade to Nagios XI 5.5.7 or above. |
| CVE-2018-15711 | Unauthorized API Key Regeneration. An low-privileged, authenticated user can force API key regeneration for any Nagios XI user (including admins). When the API key is regenerated, the new one is returned in the response body. Must be authenticated user. | Upgrade to Nagios XI 5.5.7 or above. |
| CVE-2018-15712 | Unauthenticated Persistent Cross-site Scripting. A persistent cross-site scripting (XSS) vulnerability exists in the Nagios XI Business Process Intelligence (BPI) component’s api_tool.php. | Upgrade to Nagios XI 5.5.7 or above. |
| CVE-2018-15713 | Authenticated Persistent Cross-site Scripting. A persistent cross-site scripting vulnerability was discovered in Nagios XI in admin/users.php. This vulnerability requires authentication to be exploited successfully. | Upgrade to Nagios XI 5.5.7 or above. |
| CVE-2018-15714 | Reflected Cross-site Scripting. A reflected cross-site scripting vulnerability exists within /usr/local/nagiosxi/html/account/checkauth.php. This vulnerability requires authentication to be exploited successfully. | Upgrade to Nagios XI 5.5.7 or above. |
| CVE-2018-17147 | A cross-site scripting (XSS) vulnerability exists in the auto login admin management page. | Upgrade to Nagios XI 5.5.5 or above. |
Nagios XI 5.4
| CVE | Vulnerability Summary | Remediation Summary |
|---|---|---|
| CVE-2018-10554 | An Cross Site Scripting vulernability (XSS) was discovered in Nagios XI 5.4.13 in scheduling new reports, downtime.php, ajaxhelper.php and deploynotifications. | Upgrade to Nagios XI 5.5.0 or above. |
| CVE-2018-10553 | The xiwindow parameter in Nagios XI can be used to load any web-accessible files into the iframe. These files can be accessed via apache normally, without the use of the xiwindow URL parameter. | Avoid keeping any files that should not be accessed (or are not PHP and session authenticated) out of the /usr/local/nagiosxi/html directory. |
| CVE-2018-8733 | Authentication bypass vulnerability in NagiosQL in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability. | Upgrade to Nagios XI 5.4.13 or above.
For immidiate remediation, remove the /etc/httpd/conf.d/nagiosql.conf apache configuration file and restart apache. |
| CVE-2018-8734 CVE-2018-10735 CVE-2018-10736 CVE-2018-10737 CVE-2018-10738 |
SQL injection vulnerabilities in the legacy NagiosQL component in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via different pages and parameters. | Upgrade to Nagios XI 5.4.13 or above.
For immidiate remediation, remove the /etc/httpd/conf.d/nagiosql.conf apache configuration file and restart apache. |
| CVE-2018-8735 | Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection. Attack requires an authenticated user with access to the CCM. | Upgrade to Nagios XI 5.4.13 or above. |
| CVE-2018-8736 | A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root. Attack requires an authenticated user with access to the CCM. | Upgrade to Nagios XI 5.4.13 or above. |
Nagios Fusion 4
| CVE | Vulnerability Summary | Remediation Summary |
|---|---|---|
| CVE-2020-28903 | XSS vulnerabilities in data that is displayed in dashboard and dashlets. | Update to Nagios Fusion 4.1.9 or above |
| CVE-2020-28905 | Authenticated remote code execution (from the context of low-privileges user) in table pagination. | Update to Nagios Fusion 4.1.9 or above |
| CVE-2020-28902 | Privilege escalation from apache to nagios via command injection on timezone parameter in cmd_subsys.php. | Update to Nagios Fusion 4.1.9 or above |
| CVE-2020-28901 | Privilege escalation from apache to nagios via command injection on component_dir parameter in cmd_subsys.php. | Update to Nagios Fusion 4.1.9 or above |
| CVE-2020-28904 | Privilege escalation from apache to nagios via installation of malicious component. | Update to Nagios Fusion 4.1.9 or above |
| CVE-2020-28900 | Privilege escalation from nagios to root via upgrade_to_latest.sh. | Update to Nagios Fusion 4.1.9 or above |
| CVE-2020-28907 | Privilege escalation from apache to root via upgrade_to_latest.sh and modification of proxy config. | Update to Nagios Fusion 4.1.9 or above |
| CVE-2020-28906 | Privilege escalation from nagios to root via modification of fusion-sys.cfg. | Update to Nagios Fusion 4.1.9 or above |
| CVE-2020-28909 | Privilege escalation from nagios to root via modification of scripts that can execute as sudo. | Update to Nagios Fusion 4.1.9 or above |
| CVE-2020-28908 | Privilege escalation from apache to nagios via command injection in cmd_subsys.php. | Update to Nagios Fusion 4.1.9 or above |
| CVE-2020-28911 | Lower priviledged user can authenticate to fused server when credentials are stored. | Update to Nagios Fusion 4.1.9 or above |
Nagios Network Analyzer 2
| CVE | Vulnerability Summary | Remediation Summary |
|---|---|---|
| CVE-2021-28925 | A SQL injection in the API Sources endpoint. | Update to Nagios Network Analyzer 2.4.3 and above |
| CVE-2021-28924 | A XSS vulnerability has been discovered the Queries page. | Update to Nagios Network Analyzer 2.4.3 and above |
Nagios Log Server 2
| CVE | Vulnerability Summary | Remediation Summary |
|---|---|---|
| CVE-2019-15898 | A reflected (XSS) vulnerability has been discovered in Nagios Log Server via the username on the Login page. | Update to Nagios Log Server 2.0.8 and above |
| CVE-2020-16157 | A reflected (XSS) vulnerability has been discovered in Nagios Log Server via the Notification Methods on the Alerts page. | Update to Nagios Log Server 2.1.7 and above |
Nagios Core 4
| CVE | Vulnerability Summary | Remediation Summary |
|---|---|---|
| CVE-2018-18245 | A cross-site scripting (XSS) vulnerability has been discovered in Nagios Core. This vulnerability allows attackers to place malicious JavaScript code into the web frontend through manipulation of plugin output. In order to do this the attacker needs to be able to manipulate the output returned by nagios checks, e.g. by replacing a plugin on one of the monitored endpoints. Execution of the payload then requires that an authenticated user creates an alert summary report which contains the corresponding output. |
Update to Nagios Core 4.4.3 or Nagios XI 5.5.9 and above (You can also patch this with Core maint branch) |