Subscribe
Overview
Black Duck Cybersecurity Research Center (CyRC) research has exposed three separate vulnerabilities in Nagios XI. Nagios XI is a widely used application, service, and network monitoring application that has privileged access to network and server configuration and reporting.
The issues are
- CVE-2021-33177: Postauthentication SQL injection in the bulk modifications tool
- CVE-2021-33178: Postauthentication path traversal vulnerability in the NagVis reporting module
- CVE-2021-33179: Reflected cross-site scripting (XSS) on the core config manager
Affected software
CVE-2021-33177
Nagios XI versions prior to 5.8.5.
CVE-2021-33178
Nagios XI versions prior to 5.8.6 via the NagVis plugin. The vulnerability is not in the Nagios XI code itself, but this plugin is installed by default. The vulnerability is present in the NagVis plugin in versions prior to 2.0.9, and this component can be upgraded independently to version 2.0.9 or later or uninstalled if it is not required.
CVE-2021-33179
Nagios XI versions prior to 5.8.4.
Impact
CVE-2021-33177
An authenticated user with access to the bulk modifications tool, such as admin, can inject arbitrary SQL into an UPDATE statement. In the default configuration, this allows execution of arbitrary PostgreSQL functions.
CVSS 3.1 base score: 5.2 (medium)
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C
CVE-2021-33178
An authenticated user with access to the NagVis ManageBackgrounds endpoint, such as admin, can delete arbitrary files on the server limited by the rights of the Apache server effective user.
CVSS 3.1 base score: 4.5 (medium)
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
CVE-2021-33179
When clicked on by the user, a malicious URL could execute arbitrary JavaScript code in the victim’s browser with all Nagios XI local session data available to it.
CVSS 3.1 base score: 4.3 (medium)
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Remediation
CVE-2021-33177
Upgrade to Nagios XI 5.8.5 or later. See release notes: https://www.nagios.com/downloads/nagios-xi/change-log
CVE-2021-33178
If NagVis is installed as Nagios plugin:
Upgrade the NagVis plugin to version 2.0.9 or later. This version of the NagVis plugin is bundled with Nagios XI version 5.8.6 or later. See release notes: https://www.nagios.com/downloads/nagios-xi/change-log
If NagVis was acquired directly from the NagVis project: Upgrade NagVis to version 1.9.29 or later. See release notes: http://nagvis.org/downloads/changelog/1.9.29
CVE-2021-33179
Upgrade to Nagios XI version 5.8.4 or later. See release notes: https://www.nagios.com/downloads/nagios-xi/change-log
Discovery credit
Scott Tolley, a researcher from the Black Duck Cybersecurity Research Center, discovered these vulnerabilities using the Seeker® interactive application security testing (IAST) tool.
Black Duck would like to commend Nagios team for their responsiveness and for addressing these vulnerabilities in a timely manner.
Timeline
CVE-2021-33177
- May 12, 2021: Initial disclosure
- June 4, 2021: Nagios security team validates and confirms the vulnerability
- July 15, 2021: Nagios XI version 5.8.5 released with a fix for CVE-2021-33177
- October 13, 2021: Advisory published by Black Duck
CVE-2021-33178
- May 12, 2021: Initial disclosure
- June 4, 2021: Nagios Security team validates and confirms the vulnerability
- September 2, 2021: NagVis plugin version 2.0.9 released with a fix for CVE-2021-33178
- October 13, 2021: Advisory published by Black Duck
CVE-2021-33179
- May 12, 2021: Initial disclosure
- June 4, 2021: Nagios security team validates and confirms the vulnerability
- June 10, 2021: The vulnerability was fixed in Nagios XI version 5.8.4 released with a fix for CVE-2021-33179
- October 13, 2021: Advisory published by Black Duck
Continue Reading
A new identity for the Synopsys Software Integrity Group
Aug 12, 2024 / 2 min read
CyRC Vulnerability Advisory: CVE-2024-5184s prompt injection in EmailGPT service
Jun 04, 2024 / 1 min read