Reporting Security Vulnerabilities
At Nagios, we make security a priority. We strive to patch any security issues in a timely manner. We highly recommend using the latest versions available of our software. The latest versions will include security fixes that remediate the vulnerabilites shown below.
Please send security vulnerabilites found in any of the Nagios commercial products and security related emails to security@nagios.com. All non-security related bug reports should be given through a Support Ticket or through a post on the Support Forum.
Disclosed Vulnerabilites
Below is a listing of CVEs for patched security vulnurabilites that have been disclosed for Nagios products.
Nagios XI 5.6
| CVE | Vulnerability Summary | Remediation Summary |
|---|---|---|
| CVE-2019-15949 | Remote command execution as root vulnerability in Nagios XI’s getprofile.sh script. The script runs when profiles are created via the profile component. User must have access to edit plugins or access to the nagios user on the server. | Upgrade to Nagios XI 5.6.6 or above. |
Nagios XI 5.5
| CVE | Vulnerability Summary | Remediation Summary |
|---|---|---|
| CVE-2019-9164 | Command Injection vulnerability that allows specific command to remotely execute code when making a new autodiscovery job. Users must be authenticated and have access to autodiscovery to be able to execute a new job. | Upgrade to Nagios XI 5.5.11 or above. |
| CVE-2019-9165 | SQL Injection vulnerability via the API when using fusekeys and malicious user id. | Upgrade to Nagios XI 5.5.11 or above. |
| CVE-2019-9166 | Root Priviledge Escalation rearding permissions on config.inc.php and import_xiconfig.php allowing non-priviledged users to write to the files. This exploit requires access to the files on the server. Both files should be root owned with no write permissions. | Upgrade to Nagios XI 5.5.11 or above. |
| CVE-2019-9167 | XSS vulnerability that can be passed in using the xiwindow parameter. | Upgrade to Nagios XI 5.5.11 or above. |
| CVE-2019-9202 | Authorized remote code execution in Nagios IM component via API key issues. | Upgrade Nagios IM component to version 2.2.7 or above.
Alternatively, remove the nagiosim component if not in use. |
| CVE-2019-9203 | Authorization bypass in Nagios IM component allowing closing incidents in IM via the API. | Upgrade Nagios IM component to version 2.2.7 or above.
Alternatively, remove the nagiosim component if not in use. |
| CVE-2019-9204 | SQL Injection in Nagios IM component. | Upgrade Nagios IM component to version 2.2.7 or above.
Alternatively, remove the nagiosim component if not in use. |
| CVE-2018-20171 CVE-2018-20172 |
Unauthorized XSS vulnerabilities in the rss_dashlet. This is related to the scripts in being URL-accessible from the Magpie RSS scripts scripts directory. | Upgrade to Nagios XI 5.5.8 or above.
For immediate remediation remove the magpierss/scripts directory from rss_dashlet. |
| CVE-2018-15708 | Unauthenticated Remote Code Execution via Command Argument Injection. A critical vulnerability exists in a custom version of Snoopy being used in MagpieRSS which allows a remote, unauthenticated attacker to inject arbitrary arguments into a “curl” command. This can be done by requesting magpie_debug.php with a crafted value specified in the HTTP GET ‘url’ parameter. | Upgrade to Nagios XI 5.5.7 or above.
For immediate remediation remove the rss_dashlet if you are not using it. |
| CVE-2018-15709 | Authenticated Command Injection. The Nagios subsystem is vulnerable to command injection in many cases. An authenticated attacker may inject and execute arbitrary OS commands. Must be an authenticated user (can be non-admin). | Upgrade to Nagios XI 5.5.7 or above. |
| CVE-2018-15710 | Local Privilege Escalation (to root) via Command Injection. An Auto Discovery script suffers from a local command injection vulnerability which can be exploited to gain root OS privileges. Must be authenticated user with access to Auto Discovery component. |
Upgrade to Nagios XI 5.5.7 or above. |
| CVE-2018-15711 | Unauthorized API Key Regeneration. An low-privileged, authenticated user can force API key regeneration for any Nagios XI user (including admins). When the API key is regenerated, the new one is returned in the response body. Must be authenticated user. | Upgrade to Nagios XI 5.5.7 or above. |
| CVE-2018-15712 | Unauthenticated Persistent Cross-site Scripting. A persistent cross-site scripting (XSS) vulnerability exists in the Nagios XI Business Process Intelligence (BPI) component’s api_tool.php. | Upgrade to Nagios XI 5.5.7 or above. |
| CVE-2018-15713 | Authenticated Persistent Cross-site Scripting. A persistent cross-site scripting vulnerability was discovered in Nagios XI in admin/users.php. This vulnerability requires authentication to be exploited successfully. | Upgrade to Nagios XI 5.5.7 or above. |
| CVE-2018-15714 | Reflected Cross-site Scripting. A reflected cross-site scripting vulnerability exists within /usr/local/nagiosxi/html/account/checkauth.php. This vulnerability requires authentication to be exploited successfully. | Upgrade to Nagios XI 5.5.7 or above. |
Nagios XI 5.4
| CVE | Vulnerability Summary | Remediation Summary |
|---|---|---|
| CVE-2018-10554 | An Cross Site Scripting vulernability (XSS) was discovered in Nagios XI 5.4.13 in scheduling new reports, downtime.php, ajaxhelper.php and deploynotifications. | Upgrade to Nagios XI 5.5.0 or above. |
| CVE-2018-10553 | The xiwindow parameter in Nagios XI can be used to load any web-accessible files into the iframe. These files can be accessed via apache normally, without the use of the xiwindow URL parameter. | Avoid keeping any files that should not be accessed (or are not PHP and session authenticated) out of the /usr/local/nagiosxi/html directory. |
| CVE-2018-8733 | Authentication bypass vulnerability in NagiosQL in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability. | Upgrade to Nagios XI 5.4.13 or above.
For immidiate remediation, remove the /etc/httpd/conf.d/nagiosql.conf apache configuration file and restart apache. |
| CVE-2018-8734 CVE-2018-10735 CVE-2018-10736 CVE-2018-10737 CVE-2018-10738 |
SQL injection vulnerabilities in the legacy NagiosQL component in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via different pages and parameters. | Upgrade to Nagios XI 5.4.13 or above.
For immidiate remediation, remove the /etc/httpd/conf.d/nagiosql.conf apache configuration file and restart apache. |
| CVE-2018-8735 | Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection. Attack requires an authenticated user with access to the CCM. | Upgrade to Nagios XI 5.4.13 or above. |
| CVE-2018-8736 | A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root. Attack requires an authenticated user with access to the CCM. | Upgrade to Nagios XI 5.4.13 or above. |
Nagios Log Server 2
| CVE | Vulnerability Summary | Remediation Summary |
|---|---|---|
| CVE-2019-15898 | A reflected (XSS) vulnerability has been discovered in Nagios Log Server via the username on the Login page. | Update to Nagios Log Server 2.0.8 and above |
Nagios Core 4
| CVE | Vulnerability Summary | Remediation Summary |
|---|---|---|
| CVE-2018-18245 | A cross-site scripting (XSS) vulnerability has been discovered in Nagios Core. This vulnerability allows attackers to place malicious JavaScript code into the web frontend through manipulation of plugin output. In order to do this the attacker needs to be able to manipulate the output returned by nagios checks, e.g. by replacing a plugin on one of the monitored endpoints. Execution of the payload then requires that an authenticated user creates an alert summary report which contains the corresponding output. |
Update to Nagios Core 4.4.3 or Nagios XI 5.5.9 and above (You can also patch this with Core maint branch) |