CyRC Vulnerability Advisory: SQL injection, path traversal leading to arbitrary file deletion and XSS in Nagios XI

CVE-2021-33177, CVE-2021-33178, and CVE-2021-33179 are SQL injection, path traversal, and XSS vulnerabilities in the popular application, service, and network monitoring software Nagios XI.

CyRC vulnerability advisory: Nagios XI | Synopsys

Overview

Synopsys Cybersecurity Research Center (CyRC) research has exposed three separate vulnerabilities in Nagios XI. Nagios XI is a widely used application, service, and network monitoring application that has privileged access to network and server configuration and reporting.

The issues are

  • CVE-2021-33177: Postauthentication SQL injection in the bulk modifications tool
  • CVE-2021-33178: Postauthentication path traversal vulnerability in the NagVis reporting module
  • CVE-2021-33179: Reflected cross-site scripting (XSS) on the core config manager

Affected software

CVE-2021-33177
Nagios XI versions prior to 5.8.5.

CVE-2021-33178
Nagios XI versions prior to 5.8.6 via the NagVis plugin. The vulnerability is not in the Nagios XI code itself, but this plugin is installed by default. The vulnerability is present in the NagVis plugin in versions prior to 2.0.9, and this component can be upgraded independently to version 2.0.9 or later or uninstalled if it is not required.

CVE-2021-33179
Nagios XI versions prior to 5.8.4.

Impact

CVE-2021-33177
An authenticated user with access to the bulk modifications tool, such as admin, can inject arbitrary SQL into an UPDATE statement. In the default configuration, this allows execution of arbitrary PostgreSQL functions.

CVSS 3.1 base score: 5.2 (medium)
CVSS 3.1 vector:  CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C

CVE-2021-33178
An authenticated user with access to the NagVis ManageBackgrounds endpoint, such as admin, can delete arbitrary files on the server limited by the rights of the Apache server effective user.

CVSS 3.1 base score: 4.5 (medium)
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C

CVE-2021-33179
When clicked on by the user, a malicious URL could execute arbitrary JavaScript code in the victim’s browser with all Nagios XI local session data available to it.

CVSS 3.1 base score: 4.3 (medium)
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

Remediation

CVE-2021-33177
Upgrade to Nagios XI 5.8.5 or later.  See release notes: https://www.nagios.com/downloads/nagios-xi/change-log

CVE-2021-33178
Upgrade the NagVis plugin to version 2.0.9 or later. This version of the NagVis plugin is bundled with Nagios XI version 5.8.6 or later. See release notes: https://www.nagios.com/downloads/nagios-xi/change-log

CVE-2021-33179
Upgrade to Nagios XI version 5.8.4 or later. See release notes: https://www.nagios.com/downloads/nagios-xi/change-log

Discovery credit

Scott Tolley, a researcher from the Synopsys Cybersecurity Research Center, discovered these vulnerabilities using the Seeker® interactive application security testing (IAST) tool.
Synopsys would like to commend Nagios team for their responsiveness and for addressing these vulnerabilities in a timely manner.

Timeline

CVE-2021-33177

  • May 12, 2021: Initial disclosure
  • June 4, 2021: Nagios security team validates and confirms the vulnerability
  • July 15, 2021: Nagios XI version 5.8.5 released with a fix for CVE-2021-33177
  • October 13, 2021: Advisory published by Synopsys

CVE-2021-33178

  • May 12, 2021: Initial disclosure
  • June 4, 2021: Nagios Security team validates and confirms the vulnerability
  • September 2, 2021: NagVis plugin version 2.0.9 released with a fix for CVE-2021-33178
  • October 13, 2021: Advisory published by Synopsys

CVE-2021-33179

    • May 12, 2021: Initial disclosure
    • June 4, 2021: Nagios security team validates and confirms the vulnerability
    • June 10, 2021: The vulnerability was fixed in Nagios XI version 5.8.4 released with a fix for CVE-2021-33179
    • October 13, 2021: Advisory published by Synopsys

Subscribe to the blog for the latest AppSec news

 
Scott Tolley

Posted by

Scott Tolley

Scott Tolley

Scott Tolley began his career in mobile application and operating systems development before catching the AppSec bug at Synopsys where he now works as a solution architect (and fearless bug bounty hunter by night)! When he’s not perfecting DevSecOps pipelines for Synopsys he’s a keen amateur linguist, currently working on Romanian.


More from Security news and research