In June 2020 we reported three vulnerabilities in Nagios XI 5.7.1 to the vendor.
The following CVE IDs were assigned to the issues :

  •  CVE-2020-15901: Command Injection in Nagios XI web interface (RCE)
  •  CVE-2020-15902: Cross Site Scripting (XSS)
  •  CVE-2020-15903: Reserved, details will be given on vendor fix

CVE-2020-15901 and CVE-2020-15902 have meanwhile been fixed in version 5.7.2 according to the changelog on the Nagios website (https://www.nagios.com/downloads/nagios-xi/change-log/). CVE-2020-15903 is currently being worked on by the vendor and will probably be fixed in the near future.

The vulnerabilities have been found in the course of an extensive research project, in which we analyze the security of multiple Unified Endpoint Management (UEM) solutions. Similar vulnerabilities have been found in other solutions and are currently in the responsible disclosure process. The final outcome of the research project will be published as a conference talk and/or whitepaper as soon as the project including all disclosure processes is finished.

We will provide a short description for the first two CVEs here such that you can understand the impact of the vulnerabilities better. As the last vulnerability is not fixed yet, we refrain from releasing any details at this point. All three vulnerabilities have been verified for Nagios XI 5.6.14 and 5.7.1.

CVE-2020-15901

This CVE describes multiple authenticated command injections in the Nagios XI web interface ‘ajaxhelper’ which all lead to code execution (RCE) on the web server. Since the ajaxhelper component is used to provide basic functionality for the web interface, it can be accessed by any registered user. It is possible to utilize this RCE on accounts without any privileges. The injected commands are executed with the privileges of the web server which is running as user ‘nagios’ on the system.

CVE-2020-15902

CVE-2020-15902 is a reflected Cross-Site-Scripting (XSS) vulnerability in the ‘graphexplorer’ component of the Nagios XI web interface. Due to improper validation an attacker can inject script tags which are reflected to the victim and executed by the browser.

Summary

The vulnerabilities can be combined to create a one-click RCE exploit for the Nagios XI backend. Therefore, we recommend to update the the newest version immediately and also install future updates as CVE-2020-15903 has yet to be fixed.

In our upcoming talk about security issues with UEM products we will go into more detail and also compare solutions of different vendors. We have already found interesting similarities regarding security concepts and issues, so stay tuned for the talk!

clou & mantz

—————————————————————————

This work has been conducted on behalf of the ERNW Research GmbH.

Disclosure Timeline

  • 24.06.2020: Initial contact with the vendor to establish a secure channel for the disclosure.
  • 25.06.2020: Vulnerability reported to vendor by e-mail and disclosure deadline set to 23.09.2020.
  • 01.07.2020: Contacted the vendor again to ask for confirmation of the disclosed vulnerabilities.
  • 15.07.2020: All issues were confirmed by the vendor.
  • 15.07.2020: Vendor confirmed that the RCE and XSS are fixed in version 5.7.2.
  • 22.07.2020: CVE numbers CVE-2020-15901, CVE-2020-15902, CVE-2020-15903 have been reserved for the vulnerabilities.
  • 30.07.2020: Disclosure of vulnerabilities on this blog (without details on CVE-2020-15903).