CVE-2021-33177, CVE-2021-33178, and CVE-2021-33179 are SQL injection, path traversal, and XSS vulnerabilities in the popular application, service, and network monitoring software Nagios XI.
Synopsys Cybersecurity Research Center (CyRC) research has exposed three separate vulnerabilities in Nagios XI. Nagios XI is a widely used application, service, and network monitoring application that has privileged access to network and server configuration and reporting.
The issues are
Nagios XI versions prior to 5.8.5.
Nagios XI versions prior to 5.8.6 via the NagVis plugin. The vulnerability is not in the Nagios XI code itself, but this plugin is installed by default. The vulnerability is present in the NagVis plugin in versions prior to 2.0.9, and this component can be upgraded independently to version 2.0.9 or later or uninstalled if it is not required.
Nagios XI versions prior to 5.8.4.
An authenticated user with access to the bulk modifications tool, such as admin, can inject arbitrary SQL into an UPDATE statement. In the default configuration, this allows execution of arbitrary PostgreSQL functions.
CVSS 3.1 base score: 5.2 (medium)
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C
An authenticated user with access to the NagVis ManageBackgrounds endpoint, such as admin, can delete arbitrary files on the server limited by the rights of the Apache server effective user.
CVSS 3.1 base score: 4.5 (medium)
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
CVSS 3.1 base score: 4.3 (medium)
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Upgrade to Nagios XI 5.8.5 or later. See release notes: https://www.nagios.com/downloads/nagios-xi/change-log
If NagVis is installed as Nagios plugin: Upgrade the NagVis plugin to version 2.0.9 or later. This version of the NagVis plugin is bundled with Nagios XI version 5.8.6 or later. See release notes: https://www.nagios.com/downloads/nagios-xi/change-log
If NagVis was acquired directly from the NagVis project: Upgrade NagVis to version 1.9.29 or later. See release notes: http://nagvis.org/downloads/changelog/1.9.29
Upgrade to Nagios XI version 5.8.4 or later. See release notes: https://www.nagios.com/downloads/nagios-xi/change-log
Scott Tolley, a researcher from the Synopsys Cybersecurity Research Center, discovered these vulnerabilities using the Seeker® interactive application security testing (IAST) tool.
Synopsys would like to commend Nagios team for their responsiveness and for addressing these vulnerabilities in a timely manner.
Originally published October 13, 2021, updated on December 15, 2021.
Scott Tolley began his career in mobile application and operating systems development before catching the AppSec bug at Synopsys where he now works as a solution architect (and fearless bug bounty hunter by night)! When he’s not perfecting DevSecOps pipelines for Synopsys he’s a keen amateur linguist, currently working on Romanian.