Post-auth flaws could give attackers a platform from which to pivot to other parts of the network

Three vulnerabilities have been addressed in Nagios XI, which monitors mission-critical enterprise infrastructure components.

Nagios XI monitors applications, services, operating systems, network protocols, systems metrics, and network infrastructure, and has privileged access to network and server configuration and reporting.

Researchers at the Synopsys Cybersecurity Research Center discovered medium-severity SQL injection, path traversal, and cross-site scripting (XSS) vulnerabilities that could be exploited by authenticated attackers.

‘Tempting target’

“ An attacker would need an initial foothold in the system through which to target them, which is why they have a ‘medium’ rating in the advisory,” Scott Tolley, the Synopsys security engineer who discovered the vulnerabilities, tells The Daily Swig.

“However, the nature of network monitoring software such as Nagios is that is has privileged access to a lot of assets on the target network. That makes them a very tempting target for attackers looking to pivot to other parts of an already compromised system.”

The first flaw, CVE-2021-33177, allows an authenticated user with access to the bulk modifications tool, such as admin, to inject arbitrary SQL into an UPDATE statement. In the default configuration, this allows execution of arbitrary PostgreSQL functions.


Read more of the latest enterprise security news and analysis


Meanwhile, a path traversal vulnerability in the NagVis reporting module (CVE-2021-33178) allows an attacker with access to the NagVis ManageBackgrounds endpoint, such as admin, to delete arbitrary files on the server limited by the rights of the Apache server effective user.

“The user is given the opportunity to delete a background image,” says Tolley.

“Unfortunately, with a few extra characters in the request the attacker can point to any file on the system and the application will happily delete it. This can have implications for the availability of the software, and possibly the security as well, depending on what files the attacker chooses to delete.”

Finally, a reflected XSS on the core config manager (CVE-2021-33179) could enable a malicious URL to execute arbitrary JavaScript code in the victim’s browser and surface local session data from Nagios XI.

Synopsys alerted Nagios to all three vulnerabilities on May 12, and fixes were issued on July 15, September 2, and June 10 respectively.

“Nagios were extremely responsive and pleasant to deal with. I would like to commend them for their clear communications and quick patching of the product itself,” says Tolley.


YOU MIGHT ALSO LIKE NSA warns of heightened wildcard TLS certificate risk