Nagios XI, a popular commercial monitoring system used for IT infrastructure and network monitoring, has been found to have four vulnerabilities by Vulnerability Research Engineer Astrid Tedenbrant. These vulnerabilities, discovered during routine research, have the potential to expose the database field through SQL injection and enable Cross-Site Scripting.
Three of the vulnerabilities, classified as CVE-2023-40931, CVE-2023-40933, and CVE-2023-40934, allow users with varying levels of access rights to gain unauthorized access to the database field through SQL injection. This means that sensitive data, such as usernames, emails, hashed passwords, API tokens, and backend tickets, can be retrieved by authenticated users with low or no privileges.
The fourth vulnerability, known as CVE-2023-40932, permits Cross-Site Scripting through the Custom Logo component of Nagios XI. This flaw allows an attacker to inject arbitrary JavaScript, which can be executed by any user’s browser. This gives the attacker the ability to read and modify page data, as well as perform actions on behalf of the affected user. Additionally, plain-text credentials entered by users can be stolen from their browsers.
Tedenbrant explains the details of each vulnerability. The first flaw, CVE-2023-40931, is related to SQL injection in the Banner acknowledging endpoint. When a user acknowledges a banner, a vulnerable POST request is made to ‘/nagiosxi/admin/banner_message-ajaxhelper.php’, which is not properly sanitized. This allows an attacker to exploit the vulnerability and retrieve sensitive data from the database.
The second vulnerability, CVE-2023-40934, involves SQL injection in Host/Service Escalation in CCM. An authorized user with access to control host escalations can execute arbitrary database queries using Nagios XI’s Core Configuration Manager. However, this vulnerability requires more privileges compared to CVE-2023-40931.
The third vulnerability, CVE-2023-40933, is SQL injection in Announcement Banner Settings. When performing the ‘update_banner_message_settings’ action, the ‘id’ parameter is concatenated into a database query without proper sanitization, allowing an attacker to modify the query.
All of these vulnerabilities have been addressed in the latest update, Nagios XI version 5.11.2 or later. Users are strongly recommended to update their systems to protect against potential attacks.
Nagios XI is a widely used monitoring tool for managing complex IT settings. Due to its high level of access and usage in privileged instances, it is an attractive target for attackers. Keeping systems up to date with the latest security patches and versions is crucial to mitigate the risk of exploitation.
In conclusion, the vulnerabilities discovered in Nagios XI highlight the importance of regularly updating software and implementing strong security measures. By addressing these vulnerabilities promptly, users can ensure the security and integrity of their IT infrastructure and network monitoring systems.