Nagios XI vulnerabilities resulting in privilege escalation (& more)
During some standard research as part of the Outpost24 Ghost Labs Vulnerability Research department, I discovered four different vulnerabilities in Nagios XI (version 5.11.1 and lower). Three of these vulnerabilities (CVE-2023-40931, CVE-2023-40933 and CVE-2023-40934) allow users, with various levels of privileges, to access database fields via SQL Injections. The data obtained from these vulnerabilities may be used to further escalate privileges in the product and obtain sensitive user data such as password hashes and API tokens.
The fourth vulnerability (CVE-2023-40932) allows Cross-Site Scripting via the Custom Logo component, which will render on every page, including the login page. This may be used to read and modify page data, such as plain-text passwords from login forms.
All these vulnerabilities have been resolved as of 2023.09.11 and users are advised to upgrade to 5.11.2 or later.
What is Nagios XI
Nagios XI is a popular and widely used commercial monitoring solution for IT infrastructure and network monitoring. It is the commercial version of the open-source Nagios Core monitoring platform, and provides added features to simplify the process of managing complex IT environments.
Due to the access required by Nagios XI, it is often deployed in high-privileged environments, which makes it an interesting asset for an attacker to target.
The four vulnerabilities
1. SQL Injection in Banner acknowledging endpoint (CVE-2023-40931)
Nagios XI features “Announcement Banners”, which can optionally be acknowledged by users. The endpoint for this feature is vulnerable to a SQL Injection attack.
When a user acknowledges a banner, a POST request is sent to `/nagiosxi/admin/banner_message-ajaxhelper.php` with the POST data consisting of the intended action and message ID – `action=acknowledge banner message&id=3`.
The ID parameter is assumed to be trusted but comes directly from the client without sanitization. This leads to a SQL Injection where an authenticated user with low or no privileges can retrieve sensitive data, such as from the `xi_session` and `xi_users` table containing data such as emails, usernames, hashed passwords, API tokens, and backend tickets.
This vulnerability does not require the existence of a valid announcement banner ID, meaning it can be exploited by an attacker at any time.
2. SQL Injection in Host/Service Escalation in CCM (CVE-2023-40934)
The Core Configuration Manager in Nagios XI allows an authenticated user with privilege to manage host escalations to perform arbitrary database queries through the `/nagiosxi/includes/components/ccm/index.php` endpoint.
The parameters `tfFirstNotif`, `tfLastNotif`, and `tfNotifInterval` are assumed to be trusted despite coming directly from the client through a POST request.
This vulnerability results in the same access to the database as the other SQL Injection vulnerabilities, but requires additional privileges compared to CVE-2023-40931.
3. SQL Injection in Announcement Banner Settings (CVE-2023-40933)
Nagios XI has an administrative page for Announcement Banner settings, which contains a SQL Injection vulnerability in the `/nagiosxi/admin/banner message-ajaxhelper.php` endpoint.
When performing the `update_banner_message_settings` action on the affected endpoint, the `id` parameter is assumed to be trusted and is concatenated into a database query with no sanitization. This allows an attacker to modify the query.
Successful exploitation grants the same database access as the other two SQL Injection Vulnerabilities, but requires additional privileges compared to CVE-2023-40931.
4. Cross-Site Scripting in Custom Logo Component (CVE-2023-40932)
Nagios XI can be customized with a custom company logo, which will be displayed across the entire product. This includes the landing page, various administrative pages, and the login page.
We found and disclosed the vulnerabilities to Nagios in August 2023. Here’s what happened next:
- 2023-08-04 – Contacted vendor and submitted report
- 2023-08-04 – Vendor acknowledged report, started reviewing
- 2023-08-11 – Vendor confirmed all 4 vulnerabilities
- 2023-08-11 – Contacted MITRE for CVE allocation
- 2023-09-01 – CVEs reserved by MITRE
- 2923-09-07 – Coordinated disclosure for 2023-09-19
- 2023-09-11 – Nagios XI 5.11.2 released with security fixes applied
- 2023-09-19 – Vulnerabilities fully disclosed
The importance of application security testing
In a targeted attack, these types of vulnerabilities are relatively easy to exploit. As recent attacks have demonstrated (most notably the SolarWinds hack), IT management platforms are also likely targets. Without continuous application security testing in place, critical business data is at risk. Outpost24 provides security solutions and pen testing services with direct access to our security experts for remediation guidance and validation. Test your applications in real-time for the latest vulnerabilities with Outpost24.
About Ghost Labs
Ghost Labs is the specialist security unit within Outpost24 working in partnership with our clients to meet their penetration testing needs and objectives. Our experienced Offensive Security team offers enhanced and bespoke penetration testing security services such as advanced network penetration testing, (web)application testing, Red Teaming assessments and complex web application exploitation to help organizations have a true picture of their cyber risk. In addition, the Ghost Labs team is an active contributor to the security community with vulnerability research and coordinated responsible disclosure program.
Ghost Labs performs hundreds of successful penetration tests for its customers ranging from global enterprises to SMEs. Our team consists of highly skilled ethical hackers, covering a wide range of advanced testing services to help companies keep up with evolving threats and new technologies. To help businesses drive security maturity and mitigate risks posed by the evolving threat and techniques of the modern-day hacker.