Security Disclosures

Notice: Spring4Shell Vulnerability – Nagios does not use the Java Spring framework

Reporting Security Vulnerabilities

At Nagios, we make security a priority. We strive to patch any security issues in a timely manner. We highly recommend using the latest versions available of our software. The latest versions will include security fixes that remediate the vulnerabilites shown below.

Please send security vulnerabilities found in any of the Nagios commercial products and security related emails to security@nagios.com. All non-security related bug reports should be given through a Support Ticket or through a post on the Support Forum.

Disclosed Vulnerabilities

Below is a listing of CVEs for patched security vulnerabilities that have been disclosed for Nagios products. Product version below does not mean that the security issue is only in that product version. Upgrade to the latest version to ensure all known vulnerabilities are patched. Scroll down to see all products.

Nagios XI 5.11

CVE

CVE-2023-40931

Vulnerability Summary

SQL Injection when acknowledging an announcement banner. Details forthcoming.

Remediation Summary

Upgrade to Nagios XI 5.11.2 or above.

CVE-2023-40932

XSS in Custom Logo Component. Details forthcoming.

Upgrade to Nagios XI 5.11.2 or above.

CVE-2023-40933

SQL Injection when configuring an announcement banner. Details forthcoming.

Upgrade to Nagios XI 5.11.2 or above.

CVE-2023-40934

SQL Injection in Host/Service Escalation configuration in CCM. Details forthcoming.

Upgrade to Nagios XI 5.11.2 or above.

Nagios NCPA 2

Vulnerability Summary

The administrator login uses an insecure timing comparison. An attacker can brute-force the API token by measuring timing differences in this comparison.

Remediation Summary

Upgrade to NCPA 2.4.1 or above

Nagios XI 5.9

Vulnerability Summary

The session ID for API Authentication is generated using uniqid, which is based on the current time. An attacker can brute-force a valid session ID by guessing when a previous user authenticated against the API.

Remediation Summary

Upgrade to Nagios XI 5.9.3 or above

The “Insecure Backend Ticket” Authentication (which is disabled by default) uses an insecure timing comparison. An attacker can brute-force the admin passive by measuring timing difference in the comparison.

Upgrade to Nagios XI 5.9.3 or above

An issue was discovered in twilio_ajax_handler.php in Nagios XI 5.9.2. An attacker can force a user to visit a malicious site by using an open redirect vulnerability.

Upgrade to Nagios XI 5.9.3 or above

Nagios XI 5.8

Vulnerability Summary

Certain crafted redirect URLs on the login page could be redirected to external URLs.

Remediation Summary

Upgrade to Nagios XI 5.8.9 or above

Read-only users are able to submit a specific command to the schedule downtime page that would schedule downtimes.

Upgrade to Nagios XI 5.8.9 or above

When changing a user’s email addresses, users are not required to confirm their password which could be used to reset a user’s password via email.

Upgrade to Nagios XI 5.8.9 or above

Users could send HTML via setting the scheduled reporting message to have HTML code in it.

Upgrade to Nagios XI 5.8.9 or above

Command injection security vulnerability in the cmdsubsys.php cron job for installation of dashlets, components, and config wizards.

Upgrade to Nagios XI 5.8.9 or above

Permission security issue with file permissions for the migration script “nagios_unbundler.py” which could allow arbitrary code execution.

Upgrade to Nagios XI 5.8.9 or above

Security issue with file validation in the admin  custom includes component allowed php files to be uploaded and executed.

Upgrade to Nagios XI 5.8.6 or above or upgrade Custom Includes component to version 1.1.0 or above

XSS vulnerability in Manage My Dashboards edit dashboard title functionality.

Upgrade to Nagios XI 5.8.6 or above

SSRF in Scheduled Reports when the report url is from outside the Nagios XI system.

Upgrade to Nagios XI 5.8.6 or above

The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Exploitation requires the malicious actor to be authenticated to the vulnerable system, but once authenticated they would be able to execute arbitrary sql queries.

Upgrade to Nagios XI 5.8.5 or above

The Manage Backgrounds functionality within Nagvis versions prior to 2.0.8 is vulnerable to an authenticated path traversal vulnerability. Exploitation of this results in a malicious actor having the ability to arbitrarily delete files on the local system as the apache user.

Upgrade to Nagios XI 5.8.6 or above and ensure NagVis component is 2.0.9+

The general user interface in Nagios XI versions prior to 5.8.5 is vulnerable to authenticated reflected cross-site scripting. An authenticated victim, who accesses a specially crafted malicious URL, would unknowingly execute the attached payload.

Upgrade to Nagios XI 5.8.5 or above

Nagios XI Switch Wizard before version 2.5.7 is vulnerable to remote code execution through improper neutralisation of special elements used in an OS Command (OS Command injection).

Upgrade Switch config wizard from Admin > Manage Config Wizards to version 2.5.7 or above.

A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post authenticated RCE under security context of the user running Nagios.

Upgrade to Nagios XI 5.8.5 or above

Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because xi-sys.cfg is being imported from the var directory for some scripts with elevated permissions.

Upgrade to Nagios XI 5.8.5 or above

Nagios XI WatchGuard Wizard before version 1.4.8 is vulnerable to remote code execution through Improper neutralisation of special elements used in an OS Command (OS Command injection).

Upgrade WatchGuard config wizard from Admin > Manage Config Wizards to version 1.4.8 or above

Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because getprofile.sh does not validate the directory name it receives as an argument.

Upgrade to Nagios XI 5.8.5 or above

Nagios XI before version 5.8.5 is vulnerable to local file inclusion through improper limitation of a pathname in index.php.

Upgrade to Nagios XI 5.8.5 or above

Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because cleaner.php does not sanitise input read from the database.

Upgrade to Nagios XI 5.8.5 or above

Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation.

Upgrade to Nagios XI 5.8.5 or above

Nagios XI before version 5.8.5 is vulnerable to insecure permissions and allows unauthenticated users to access guarded pages through a crafted HTTP request to the server.

Upgrade to Nagios XI 5.8.5 or above

An open redirect vulnerability exists in Nagios XI before version 5.8.5 that could lead to spoofing. To exploit the vulnerability, an attacker could send a link that has a specially crafted URL and convince the user to click the link.

Upgrade to Nagios XI 5.8.5 or above

Nagios XI Docker Wizard before version 1.1.3 is vulnerable to SSRF due to improper sanitation in table_population.php

Upgrade Docker config wizard from Admin > Manage Config Wizards to version 1.1.3 or above

Local privilege escalation due to insecure permissions of the migrate.php and the repairmysql.sh files.

Upgrade to Nagios XI 5.8.5 or above

Local privilege escalation due to wildcard expansion in backup_xi.sh and manage_services.sh files.

Upgrade to Nagios XI 5.8.5 or above

Nagios XI 5.7

Vulnerability Summary

XSS vulnerability in the SSH Terminal page.

Remediation Summary

Upgrade to Nagios XI 5.8.0 or above

OS command injection as the apache user through variables passed into the Config Wizard.

Upgrade the Cloud-VM config wizard from Admin > Manage Config Wizards to version 1.0.4 or above

OS command injection as the apache user through variables passed into the Config Wizard.

Upgrade the Switch config wizard from Admin > Manage Config Wizards to version 2.5.4 or above

OS command injection as the apache user through variables passed into the Config Wizard.

Upgrade the Windows WMI config wizard from Admin > Manage Config Wizards to version 2.2.3 or above

Unauthenticated remote code execution (RCE) vulnerability as the apache user in Nagios XI in the Docker config wizard.

Upgrade the Docker config wizard from Admin > Manage Config Wizards to version 1.1.2 or above

XSS vulnerability and IDOR allowing users to add a favorite to other users security vulnerability in Favorites component.

Upgrade the Favorites component from Admin > Manage Components to version 1.0.2 or above

Remote code execution (RCE) vulnerability in Nagios XI in Manage Plugins page when uploading plugin with option to convert line endings.

Upgrade to Nagios XI 5.8.0 or above

Creation of a Temporary Directory with Insecure Permissions allows for Privilege Escalation via creation of symlinks, which are mishandled in getprofile.sh.

Upgrade to Nagios XI 5.8.4 or above for full changes

Remote code execution (RCE) from improper input validation in the Auto-Discovery component allows an authenticated attacker to execute remote code.

Upgrade to Nagios XI 5.7.5 or above

Cross-site request forgery (CSRF) vulnerabilities in Nagios XI for SNMP Trap Sender and Manage MIBs admin pages.

Upgrade to Nagios XI 5.7.4 or above

An OS command injection vulnerability in the Admin Manage MIBs page. A remote, authenticated attacker with admin privileges may exploit this vulnerability to execute arbitrary OS commands with privileges of the ‘apache’ user.

Upgrade to Nagios XI 5.7.4 or above

An OS command argument injection vulnerability in the Send Custom Trap command in the SNMP Trap Interface.

Upgrade to Nagios XI 5.7.4 or above

Privilege escalation as user nagios to root in backend scripts that are run as root user due to permissions and included files.

Upgrade to Nagios XI 5.7.3 or above

Remote code execution as authenticated user in ajaxhelper.php allows remote attackers to execute arbitrary commands via cmdsubsys.

Upgrade to Nagios XI 5.7.2 or above

XSS vulnerability in Graph Explorer via the link url option.

Upgrade to Nagios XI 5.7.2 or above

The “Insecure Backend Ticket” Authentication (which is disabled by default) uses an insecure timing comparison. An attacker can brute-force the admin passive by measuring timing difference in the comparison.

Upgrade to Nagios XI 5.9.3 or above

An issue was discovered in twilio_ajax_handler.php in Nagios XI 5.9.2. An attacker can force a user to visit a malicious site by using an open redirect vulnerability.

Upgrade to Nagios XI 5.9.3 or above

Read-only users are able to submit a specific command to the schedule downtime page that would schedule downtimes.

Upgrade to Nagios XI 5.8.9 or above

When changing a user’s email addresses, users are not required to confirm their password which could be used to reset a user’s password via email.

Upgrade to Nagios XI 5.8.9 or above

Users could send HTML via setting the scheduled reporting message to have HTML code in it.

Upgrade to Nagios XI 5.8.9 or above

Command injection security vulnerability in the cmdsubsys.php cron job for installation of dashlets, components, and config wizards.

Upgrade to Nagios XI 5.8.9 or above

Permission security issue with file permissions for the migration script “nagios_unbundler.py” which could allow arbitrary code execution.

Upgrade to Nagios XI 5.8.9 or above

Security issue with file validation in the admin  custom includes component allowed php files to be uploaded and executed.

Upgrade to Nagios XI 5.8.6 or above or upgrade Custom Includes component to version 1.1.0 or above

XSS vulnerability in Manage My Dashboards edit dashboard title functionality.

Upgrade to Nagios XI 5.8.6 or above

SSRF in Scheduled Reports when the report url is from outside the Nagios XI system.

Upgrade to Nagios XI 5.8.6 or above

The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Exploitation requires the malicious actor to be authenticated to the vulnerable system, but once authenticated they would be able to execute arbitrary sql queries.

Upgrade to Nagios XI 5.8.5 or above

The Manage Backgrounds functionality within Nagvis versions prior to 2.0.8 is vulnerable to an authenticated path traversal vulnerability. Exploitation of this results in a malicious actor having the ability to arbitrarily delete files on the local system as the apache user.

Upgrade to Nagios XI 5.8.6 or above and ensure NagVis component is 2.0.9+

Nagios XI 5.6

Vulnerability Summary

Possible postauth SQL injection in the SNMP Trap Interface page. User must have administrative privileges to access.

Remediation Summary

Upgrade to Nagios XI 5.6.14 or above

Authenticated remote execution vulnerability in command_test.php script using the address paramater. User must have access to the CCM to access.

Upgrade to Nagios XI 5.6.14 or above

Authenticated remote code execution vulnerabilitiy in export-rrd.php in start, end, or step parameter.

Upgrade to Nagios XI 5.6.14 or above

XSS vulnerability as an authenticated user via the account/main.php theme parameter.

Upgrade to Nagios XI 5.6.13 or above

XSS vulnerability as an authenticated administrator via the LDAP/AD component username and password parameters.

Upgrade to Nagios XI 5.6.13 or above

Remote command execution as authenticated user. The user is able to execute arbitrary OS commands via shell metacharacters in the id parameter to schedulereport.php, in the context of the web-server user account.

Upgrade to Nagios XI 5.6.10 or above

XSS vulnerability exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. An authenticated user can use this method of attack against any user.

Upgrade the Operations Center component from Admin > Manage Components to version 1.3.3 or above

Remote command execution as root vulnerability in Nagios XI’s getprofile.sh script. The script runs when profiles are created via the profile component. User must have access to edit plugins or access to the nagios user on the server.

Upgrade to Nagios XI 5.6.6 or above

Nagios XI 5.5

Vulnerability Summary

Command Injection vulnerability that allows specific command to remotely execute code when making a new autodiscovery job. Users must be authenticated and have access to autodiscovery to be able to execute a new job.

Remediation Summary

Upgrade to Nagios XI 5.5.11 or above

SQL Injection vulnerability via the API when using fusekeys and malicious user id.

Upgrade to Nagios XI 5.5.11 or above

Root Privilege Escalation rearding permissions on config.inc.php and import_xiconfig.php allowing non-priviledged users to write to the files. This exploit requires access to the files on the server. Both files should be root owned with no write permissions.

Upgrade to Nagios XI 5.5.11 or above

XSS vulnerability that can be passed in using the xiwindow parameter.

Upgrade to Nagios XI 5.5.11 or above

Authorized remote code execution in Nagios IM component via API key issues.

Upgrade Nagios IM component to version 2.2.7 or above. 
Alternatively, remove the nagiosim component if not in use.

Authorization bypass in Nagios IM component allowing closing incidents in IM via the API.

Upgrade Nagios IM component to version 2.2.7 or above. 
Alternatively, remove the nagiosim component if not in use.

SQL Injection in Nagios IM component.

Upgrade Nagios IM component to version 2.2.7 or above. Alternatively, remove the nagiosim component if not in use.

Unauthorized XSS vulnerabilities in the rss_dashlet. This is related to the scripts in being URL-accessible from the Magpie RSS scripts scripts directory.

Upgrade to Nagios XI 5.5.8 or above. 
For immediate remediation remove the magpierss/scripts directory from rss_dashlet.

Unauthenticated Remote Code Execution via Command Argument Injection. A critical vulnerability exists in a custom version of Snoopy being used in MagpieRSS which allows a remote, unauthenticated attacker to inject arbitrary arguments into a “curl” command. This can be done by requesting magpie_debug.php with a crafted value specified in the HTTP GET ‘url’ parameter.

Upgrade to Nagios XI 5.5.7 or above. 
For immediate remediation remove the rss_dashlet if you are not using it.

Authenticated Command Injection. The Nagios subsystem is vulnerable to command injection in many cases. An authenticated attacker may inject and execute arbitrary OS commands. Must be an authenticated user (can be non-admin).

Upgrade to Nagios XI 5.5.7 or above

Local Privilege Escalation (to root) via Command Injection. An Auto Discovery script suffers from a local command injection vulnerability which can be exploited to gain
root OS privileges. Must be authenticated user with access to Auto Discovery component.

Upgrade to Nagios XI 5.5.7 or above

Unauthorized API Key Regeneration. An low-privileged, authenticated user can force API key regeneration for any Nagios XI user (including admins). When the API key is regenerated, the new one is returned in the response body. Must be authenticated user.

Upgrade to Nagios XI 5.5.7 or above

Unauthenticated Persistent Cross-site Scripting. A persistent cross-site scripting (XSS) vulnerability exists in the Nagios XI Business Process Intelligence (BPI) component’s api_tool.php.

Upgrade to Nagios XI 5.5.7 or above

Authenticated Persistent Cross-site Scripting. A persistent cross-site scripting vulnerability was discovered in Nagios XI in admin/users.php. This vulnerability requires authentication to be exploited successfully.

Upgrade to Nagios XI 5.5.7 or above

Reflected Cross-site Scripting. A reflected cross-site scripting vulnerability exists within /usr/local/nagiosxi/html/account/checkauth.php. This vulnerability requires authentication to be exploited successfully.

Upgrade to Nagios XI 5.5.7 or above

A cross-site scripting (XSS) vulnerability exists in the auto login admin management page.

Upgrade to Nagios XI 5.5.5 or above

Nagios XI 5.4

Vulnerability Summary

An Cross Site Scripting vulernability (XSS) was discovered in Nagios XI 5.4.13 in scheduling new reports, downtime.php, ajaxhelper.php and deploynotifications.

Remediation Summary

Upgrade to Nagios XI 5.5.0 or above

The xiwindow parameter in Nagios XI can be used to load any web-accessible files into the iframe. These files can be accessed via apache normally, without the use of the xiwindow URL parameter.

Avoid keeping any files that should not be accessed (or are not PHP and session authenticated) out of the /usr/local/nagiosxi/html directory

Authentication bypass vulnerability in NagiosQL in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability.

Upgrade to Nagios XI 5.4.13 or above. 
For immidiate remediation, remove the /etc/httpd/conf.d/nagiosql.conf apache configuration file and restart apache.

SQL injection vulnerabilities in the legacy NagiosQL component in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via different pages and parameters.

Upgrade to Nagios XI 5.4.13 or above. 
For immidiate remediation, remove the /etc/httpd/conf.d/nagiosql.conf apache configuration file and restart apache.

Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection. Attack requires an authenticated user with access to the CCM.

Upgrade to Nagios XI 5.4.13 or above

A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root. Attack requires an authenticated user with access to the CCM.

Upgrade to Nagios XI 5.4.13 or above

Nagios Fusion 4

Vulnerability Summary

XSS vulnerabilities in data that is displayed in dashboard and dashlets.

Remediation Summary

Update to Nagios Fusion 4.1.9 or above

Authenticated remote code execution (from the context of low-privileges user) in table pagination.

Update to Nagios Fusion 4.1.9 or above

Privilege escalation from apache to nagios via command injection on timezone parameter in cmd_subsys.php.

Update to Nagios Fusion 4.1.9 or above

Privilege escalation from apache to nagios via command injection on component_dir parameter in cmd_subsys.php.

Update to Nagios Fusion 4.1.9 or above

Privilege escalation from apache to nagios via installation of malicious component.

Update to Nagios Fusion 4.1.9 or above

Privilege escalation from nagios to root via upgrade_to_latest.sh.

Update to Nagios Fusion 4.1.9 or above

Privilege escalation from apache to root via upgrade_to_latest.sh and modification of proxy config.

Update to Nagios Fusion 4.1.9 or above

Privilege escalation from nagios to root via modification of fusion-sys.cfg.

Update to Nagios Fusion 4.1.9 or above

Privilege escalation from nagios to root via modification of scripts that can execute as sudo.

Update to Nagios Fusion 4.1.9 or above

Privilege escalation from apache to nagios via command injection in cmd_subsys.php.

Update to Nagios Fusion 4.1.9 or above

Lower priviledged user can authenticate to fused server when credentials are stored.

Update to Nagios Fusion 4.1.9 or above

Nagios Network Analyzer 2

Vulnerability Summary

A SQL injection in the API Sources endpoint.

Remediation Summary

Update to Nagios Network Analyzer 2.4.3 and above

A XSS vulnerability has been discovered the Queries page.

Update to Nagios Network Analyzer 2.4.3 and above

Nagios Log Server 2

Vulnerability Summary

A reflected (XSS) vulnerability has been discovered in Nagios Log Server via the username on the Login page.

Remediation Summary

Update to Nagios Log Server 2.0.8 and above

A reflected (XSS) vulnerability has been discovered in Nagios Log Server via the Notification Methods on the Alerts page.

Update to Nagios Log Server 2.1.7 and above

Nagios Core 4

Vulnerability Summary

A cross-site scripting (XSS) vulnerability has been discovered in Nagios Core. This vulnerability allows attackers to place malicious JavaScript code into the web frontend through manipulation of plugin output.
In order to do this the attacker needs to be able to manipulate the output returned by nagios checks, e.g. by replacing a plugin on one of the monitored endpoints. Execution of the payload then requires that an authenticated user creates an alert summary report which contains the corresponding output.

Remediation Summary

Update to Nagios Core 4.4.3 or Nagios XI 5.5.9 and above
(You can also patch this with Core maint branch)

We value your privacy

We use Cookies to enhance your experience. They allow us to analyze user behavior in order to improve our website.

Our site uses Cookies to improve your experience. By using it, you agree to Cookie usage.