Multiple security vulnerabilities have been discovered in Nagios XI network monitoring software [1] [2] [3] [4], affecting versions 5.11.1 and lower [1] [2] [3] [4]. These vulnerabilities pose a significant risk to the security and integrity of the software.
Description
These vulnerabilities, identified as CVE-2023-40931 through CVE-2023-40934 [1] [2] [3] [4], include SQL injection flaws and a cross-site scripting flaw [4]. The SQL injection flaws allow authenticated attackers to execute arbitrary SQL commands by manipulating the ID parameter in a POST request to /nagiosxi/admin/banner_message-ajaxhelper.php [5]. In addition to the disclosed vulnerabilities, there are two more SQL injection vulnerabilities (CVE-2023-40933 and CVE-2023-40934) that could potentially enable unauthorized access to database fields and the retrieval of sensitive user data. Furthermore, there is a cross-site scripting flaw in the Custom Logo component (CVE-2023-40932) that could be exploited to extract sensitive data, including cleartext passwords [1] [3] [6].
Exploiting these vulnerabilities could lead to privilege escalation [4], information disclosure [1] [2] [3] [4], and the execution of arbitrary commands [4]. The severity of these vulnerabilities is rated as medium and high, with base scores of 6.5 according to CVSS2 and 8.8 according to CVSS:3.0, respectively.
The vulnerabilities have been addressed with the release of version 5.11.2 on September 11, 2023, following responsible disclosure on August 4, 2023 [2]. It is worth noting that previous security issues have also been discovered in Nagios XI in 2021.
Conclusion
These security vulnerabilities in Nagios XI network monitoring software pose a significant threat to the security and privacy of users. It is crucial for users to update to version 5.11.2 to mitigate the risks associated with these vulnerabilities. Additionally, the discovery of previous security issues in 2021 highlights the importance of ongoing vigilance and regular updates to ensure the continued security of the software.
References
[1] https://flyytech.com/2023/09/20/critical-security-flaws-exposed-in-nagios-xi-network-monitoring-software/
[2] https://cyber.vumetric.com/security-news/2023/09/20/critical-security-flaws-exposed-in-nagios-xi-network-monitoring-software/
[3] https://patabook.com/technology/2023/09/21/critical-security-flaws-exposed-in-nagios-xi-network-monitoring-software/
[4] https://thehackernews.com/2023/09/critical-security-flaws-exposed-in.html
[5] https://www.tenable.com/cve/CVE-2023-40931
[6] https://outpost24.com/blog/nagios-xi-vulnerabilities/
