• Security Disclosures

Reporting Security Vulnerabilities

At Nagios, we make security a priority. We strive to patch any security issues in a timely manner. We highly recommend using the latest versions available of our software. The latest versions will include security fixes that remediate the vulnerabilites shown below.

Please send security vulnerabilites found in any of the Nagios commercial products and security related emails to security@nagios.com. All non-security related bug reports should be given through a Support Ticket or through a post on the Support Forum.

 

Disclosed Vulnerabilites

Below is a listing of CVEs for patched security vulnurabilites that have been disclosed for Nagios products.

 

Nagios XI 5.6

CVE Vulnerability Summary Remediation Summary
CVE-2019-15949 Remote command execution as root vulnerability in Nagios XI’s getprofile.sh script. The script runs when profiles are created via the profile component. User must have access to edit plugins or access to the nagios user on the server. Upgrade to Nagios XI 5.6.6 or above.

 

Nagios XI 5.5

CVE Vulnerability Summary Remediation Summary
CVE-2019-9164 Command Injection vulnerability that allows specific command to remotely execute code when making a new autodiscovery job. Users must be authenticated and have access to autodiscovery to be able to execute a new job. Upgrade to Nagios XI 5.5.11 or above.
CVE-2019-9165 SQL Injection vulnerability via the API when using fusekeys and malicious user id. Upgrade to Nagios XI 5.5.11 or above.
CVE-2019-9166 Root Priviledge Escalation rearding permissions on config.inc.php and import_xiconfig.php allowing non-priviledged users to write to the files. This exploit requires access to the files on the server. Both files should be root owned with no write permissions. Upgrade to Nagios XI 5.5.11 or above.
CVE-2019-9167 XSS vulnerability that can be passed in using the xiwindow parameter. Upgrade to Nagios XI 5.5.11 or above.
CVE-2019-9202 Authorized remote code execution in Nagios IM component via API key issues. Upgrade Nagios IM component to version 2.2.7 or above.

Alternatively, remove the nagiosim component if not in use.

CVE-2019-9203 Authorization bypass in Nagios IM component allowing closing incidents in IM via the API. Upgrade Nagios IM component to version 2.2.7 or above.

Alternatively, remove the nagiosim component if not in use.

CVE-2019-9204 SQL Injection in Nagios IM component. Upgrade Nagios IM component to version 2.2.7 or above.

Alternatively, remove the nagiosim component if not in use.

CVE-2018-20171
CVE-2018-20172
Unauthorized XSS vulnerabilities in the rss_dashlet. This is related to the scripts in being URL-accessible from the Magpie RSS scripts scripts directory. Upgrade to Nagios XI 5.5.8 or above.

For immediate remediation remove the magpierss/scripts directory from rss_dashlet.

CVE-2018-15708 Unauthenticated Remote Code Execution via Command Argument Injection. A critical vulnerability exists in a custom version of Snoopy being used in MagpieRSS which allows a remote, unauthenticated attacker to inject arbitrary arguments into a “curl” command. This can be done by requesting magpie_debug.php with a crafted value specified in the HTTP GET ‘url’ parameter. Upgrade to Nagios XI 5.5.7 or above.

For immediate remediation remove the rss_dashlet if you are not using it.

CVE-2018-15709 Authenticated Command Injection. The Nagios subsystem is vulnerable to command injection in many cases. An authenticated attacker may inject and execute arbitrary OS commands. Must be an authenticated user (can be non-admin). Upgrade to Nagios XI 5.5.7 or above.
CVE-2018-15710 Local Privilege Escalation (to root) via Command Injection. An Auto Discovery script suffers from a local command injection vulnerability which can be exploited to gain
root OS privileges. Must be authenticated user with access to Auto Discovery component.
Upgrade to Nagios XI 5.5.7 or above.
CVE-2018-15711 Unauthorized API Key Regeneration. An low-privileged, authenticated user can force API key regeneration for any Nagios XI user (including admins). When the API key is regenerated, the new one is returned in the response body. Must be authenticated user. Upgrade to Nagios XI 5.5.7 or above.
CVE-2018-15712 Unauthenticated Persistent Cross-site Scripting. A persistent cross-site scripting (XSS) vulnerability exists in the Nagios XI Business Process Intelligence (BPI) component’s api_tool.php. Upgrade to Nagios XI 5.5.7 or above.
CVE-2018-15713 Authenticated Persistent Cross-site Scripting. A persistent cross-site scripting vulnerability was discovered in Nagios XI in admin/users.php. This vulnerability requires authentication to be exploited successfully. Upgrade to Nagios XI 5.5.7 or above.
CVE-2018-15714 Reflected Cross-site Scripting. A reflected cross-site scripting vulnerability exists within /usr/local/nagiosxi/html/account/checkauth.php. This vulnerability requires authentication to be exploited successfully. Upgrade to Nagios XI 5.5.7 or above.

 

Nagios XI 5.4

CVE Vulnerability Summary Remediation Summary
CVE-2018-10554 An Cross Site Scripting vulernability (XSS) was discovered in Nagios XI 5.4.13 in scheduling new reports, downtime.php, ajaxhelper.php and deploynotifications. Upgrade to Nagios XI 5.5.0 or above.
CVE-2018-10553 The xiwindow parameter in Nagios XI can be used to load any web-accessible files into the iframe. These files can be accessed via apache normally, without the use of the xiwindow URL parameter. Avoid keeping any files that should not be accessed (or are not PHP and session authenticated) out of the /usr/local/nagiosxi/html directory.
CVE-2018-8733 Authentication bypass vulnerability in NagiosQL in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability. Upgrade to Nagios XI 5.4.13 or above.

For immidiate remediation, remove the /etc/httpd/conf.d/nagiosql.conf apache configuration file and restart apache.

CVE-2018-8734
CVE-2018-10735
CVE-2018-10736
CVE-2018-10737
CVE-2018-10738
SQL injection vulnerabilities in the legacy NagiosQL component in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via different pages and parameters. Upgrade to Nagios XI 5.4.13 or above.

For immidiate remediation, remove the /etc/httpd/conf.d/nagiosql.conf apache configuration file and restart apache.

CVE-2018-8735 Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection. Attack requires an authenticated user with access to the CCM. Upgrade to Nagios XI 5.4.13 or above.
CVE-2018-8736 A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root. Attack requires an authenticated user with access to the CCM. Upgrade to Nagios XI 5.4.13 or above.

 

Nagios Log Server 2

CVE Vulnerability Summary Remediation Summary
CVE-2019-15898 A reflected (XSS) vulnerability has been discovered in Nagios Log Server via the username on the Login page. Update to Nagios Log Server 2.0.8 and above

 

Nagios Core 4

CVE Vulnerability Summary Remediation Summary
CVE-2018-18245 A cross-site scripting (XSS) vulnerability has been discovered in Nagios Core. This vulnerability allows attackers to place malicious JavaScript code into the web frontend through manipulation of plugin output.
In order to do this the attacker needs to be able to manipulate the output returned by nagios checks, e.g. by replacing a plugin on one of the monitored endpoints. Execution of the payload then requires that an authenticated user creates an alert summary report which contains the corresponding output.
Update to Nagios Core 4.4.3 or Nagios XI 5.5.9 and above
(You can also patch this with Core maint branch)