An attack exploiting these vulnerabilities might have resulted in the compromise of the server operating Nagios XI
The developers of the IT infrastructure monitoring system Nagios XI thanked Positive Technologies Senior Specialist Alexey Solovyev for detecting several critical vulnerabilities in the system. Nagios XI is open-source software used by data centers, telecom companies, hosting providers, and other major companies for real-time monitoring, data collection, and managing network infrastructure disruptions. The vendor was notified of the vulnerabilities in line with the responsible disclosure policy and has already released software updates.
As of February 2024, Positive Technologies Expert Security Center estimated that there were over 900 systems operating Nagios XI accessible from the internet. A third of them are in the U.S. (33.4%), 8.4% are in China, and 5% are in India.
Positive Technologies Senior Application Security Specialist Alexey Solovyev comments: "Attackers could use cross-site scripting vulnerabilities to attack the system administrator, and shellcode injections to execute arbitrary code on the server running Nagios XI. The attackers could then disable Nagios XI and other systems and services, harnessing the server's power for their own malicious use. For instance, they could mine cryptocurrency, turn the server into a bot, steal private data, or hack the network infrastructure."
The Positive Technologies expert detected cross-site scripting vulnerabilities BDU:2023-07898, BDU:2023-07893, and BDU:2023-07900 (CVSS 3.0 score of 9); BDU:2023-07894, BDU:2023-07899, and BDU:2023-07901 (CVSS 3.0 score of 8.4); as well as SQL code injections (BDU:2023-07895) and shellcode injections (BDU:2023-07896)—both with a CVSS 3.0 score of 9.1.
To safeguard against these vulnerabilities, users should update to Nagios XI version 2024R1.0.1 or later.
For detecting and blocking attempts to exploit cross-site scripting vulnerabilities, SQL code injection, and shellcode injection, we recommend using a dynamic application analyzer such as PT BlackBox. Network traffic analysis systems like PT Network Attack Discovery (PT NAD) are also effective in identifying attacks that involve SQL injection and shell injection. Web application firewalls, such as PT Application Firewall and its cloud-based counterpart PT Cloud Application Firewall, also offer robust defense against these security weaknesses. To reduce the threat of remote code execution (RCE) at endpoints, including servers, endpoint detection and response (EDR) security solutions like MaxPatrol EDR can help. MaxPatrol EDR is designed to detect malicious activity, relay alerts to MaxPatrol SIEM, and stop attackers in their tracks.
