Published: September 21, 2023
Overview
Multiple vulnerabilities were discovered in Nagios XI software, a popular and widely used commercial monitoring solution for IT infrastructure and network monitoring. It is the commercial version of the open-source Nagios Core monitoring platform. Three of these vulnerabilities (CVE-2023-40931, CVE-2023-40933, and CVE-2023-40934) allow users, with various levels of privileges, to access database fields via SQL Injections. The data obtained from these vulnerabilities may be used to further escalate privileges in the product and obtain sensitive user data such as password hashes and API tokens. The fourth vulnerability (CVE-2023-40932) allows for Cross-Site Scripting (XSS). The CVSS Scores are not yet available. These vulnerabilities are fixed by the Nagios team in newer versions.
Impact
The impact of the vulnerabilities are as follows:
- CVE-2023-40931 (SQL Injection in Banner): When a user acknowledges a banner, a POST request is sent to ‘/nagiosxi/admin/banner_message-ajaxhelper.php’ with the POST data consisting of the intended action and message ID – ‘action=acknowledge banner message&id=3’. The ID parameter is assumed to be trusted but comes directly from the client without sanitization. This leads to a SQL Injection where an authenticated user with low or no privileges can retrieve sensitive data.
- CVE-2023-40932 (Cross-Site Scripting): Due to the cross-site scripting vulnerability, an attacker can inject arbitrary JavaScript in any users’ browser. This can be used to read and modify page data, as well as perform actions on behalf of the affected user. On the login page, XSS can be used to retrieve plain-text credentials from users’ browsers as they enter them.
- CVE-2023-40933 (SQL Injection in Announcement Banner): While executing the ‘update_banner_message_settings’ action on the affected endpoint, the ‘id’ parameter is assumed to be trusted and is concatenated into a database query with no sanitization. This allows an attacker to modify the query. Successful exploitation can result in sensitive data access, but requires additional privileges compared to CVE-2023-40931.
- CVE-2023-40934 (SQL Injection in Host): The Core Configuration Manager in Nagios XI allows an authenticated user with privilege to perform arbitrary database queries through their Core Configure Manager component in their endpoint. This vulnerability results in accessing sensitive data from the database, but requires additional privileges compared to CVE-2023-40931.
Applicable Versions
For CVE-2023-40931, CVE-2023-40932, CVE-2023-40933, CVE-2023-40934
| Affected Versions | Fixed Version |
|---|---|
| 5.11.1 and earlier | 5.11.2 |
Mitigations and Workarounds
There are no mitigations and workarounds for these vulnerabilities. It is highly recommended that users update the fixed version of Nagios XI software as soon as possible to prevent exploitation of the vulnerabilities.
Best Practices
It is recommended that the users of Nagios XI update their software to version 5.11.2 as soon as possible. By following these best practices, users can reduce the risk of exploitation and help to prevent the vulnerabilities listed above from being exploited.
Netsurion Detection and Response
Netsurion researchers are continuously monitoring the exploits of these vulnerabilities. Our security analysts will add the IOCs (Indicators of Compromise – the hashes of malicious files and the IP addresses) to Netsurion Threat Center, our threat intelligence platform. This will help detect malicious files and suspicious Command and Control communications to malicious IP addresses to detect the exploitation of these vulnerabilities. Netsurion’s vulnerability management system will also detect the vulnerabilities (CVE-2023-40931, CVE-2023-40932, CVE-2023-40933, and CVE-2023-40934) for customers who have subscribed to Netsurion Vulnerability Management.
References: