Nagios XI Configwizards Command Injection Vulnerability

August 27, 2021

Overview:

  Nagios is an open source host, service and network monitoring program. The product’s functionality is implemented through a number of server-side programs primarily written in PHP with a backend database running MariaDB, a drop-in replacement for Musk. The majority of these programs can be accessed only after successful authentication is performed with the underlying webserver. Nagios XI is a paid version of Nagios which offers greater functionality and performance such as enhanced dashboards, graphs and backend database support compared with Nagios.

  A command injection vulnerability has been reported in Nagios XI. The vulnerability is due to insufficient input validation of the requests submitted to the Windowswmi.inc.php.

  A remote authenticated attacker can exploit this vulnerability by sending a crafted request to the server. Successful exploitation could result in arbitrary command execution with privileges of the web server on the target system.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-25296.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C).

  Base score is 7.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is low.
    • Impact of this vulnerability on data integrity is low.
    • Impact of this vulnerability on data availability is low.
  Temporal score is 6.7 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  Nagios XI facilitates the management of the tasks to monitor new devices, services, and applications via the Configuration Wizards feature. Configuration wizards includes a set of modules which make it easy for end-users to setup monitor tasks for various services or hosts on a user-friendly interface without needing to understand how Nagios XI works in the backend. Configuration wizards include several modules which are installed by default in Nagios XI installation. The “Windows WMI” module is one of these default modules and relevant to this report. The Configuration Wizards feature can be accessed via the Request-URI

    /url_root/config/monitoringwizard.php

  where url_root is the url root of the Nagios XI application.

  A command injection vulnerability exists in Nagios XI. When processing the requests submitted to the monitoringwizard.php endpoint, the monitoringwizard.php will check if the value of the wizard request parameter is “windowswmi”. If yes, it will call the function windowswmi_configwizard_func() in the windowswmi.inc.php to process the request. The windowswmi_configwizard_func() creates command-line strings which will invoke the program check_wmi_plus.pl to perform various monitoring tasks. The check_wmi_plus.pl provides several command-line arguments. One of them is the “forcetruncateoutput” argument, which limits the length of output printed by the check_wmi_plus.pl. The windowswmi_configwizard_func() will check if the plugin_output_len request parameter exists in the HTTP request. If yes, it will apply the plugin_output_len value to the construction of the check_wmi_plus.pl command-line string as its “forcetruncateoutput” argument, like the command-line string shown below:

    check_wmi_plus.pl ...... --forcetruncateoutput plugin_output_len

  where plugin_output_len is the value of the plugin_output_len request parameter.

  Then, windowswmi_configwizard_func() will run the constructed check_wmi_plus.pl command-line string by PHP exec() function.

  However, windowswmi_configwizard_func() does not sanitize the plugin_output_len parameter value before applying it to the command-line string. An attacker can include command injection characters in the value of the plugin_output_len parameter which are then included in the constructed command line string. This allows for the execution of arbitrary commands on the underlying system when windowswmi_configwizard_func() calls PHP exec() to run the command-line string.

  A remote, authenticated attacker can exploit this vulnerability by sending a crafted request to the target server. Successful exploitation results in the execution of arbitrary commands as the apache user.

Triggering the Problem:

  The target system must have the vulnerable product installed and running.
    • The attacker must have network connectivity to the affected ports.
    • The attacker must authenticate to the target system.

Trigging Conditions:

  The attacker authenticates and then sends an HTTP request containing maliciously crafted parameters to the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 80/TCP
    • HTTPS, over port 443/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15480 Nagios XI monitoringwizard.php Command Injection 1
  • IPS: 15668 Nagios XI monitoringwizard.php Command Injection 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Blocking the affected ports from external network access if they are not required.
    • Filtering traffic based on the signature above.
    • Upgrading the product to a non-vulnerable version.
  The vendor has released a patch (5.8.0) regarding this vulnerability:
  Vendor Advisory