Multiple security flaws have been disclosed in the Nagios XI network monitoring software that could result in privilege escalation and information disclosure.
The four security vulnerabilities, tracked from CVE-2023-40931 through CVE-2023-40934, impact Nagios XI versions 5.11.1 and lower. Following responsible disclosure on August 4, 2023, They have been patched as of September 11, 2023, with the release of version 5.11.2.
“Three of these vulnerabilities (CVE-2023-40931, CVE-2023-40933 and CVE-2023-40934) allow users, with various levels of privileges, to access database fields via SQL Injections,” Outpost24 researcher Astrid Tedenbrant said.
“The data obtained from these vulnerabilities may be used to further escalate privileges in the product and obtain sensitive user data such as password hashes and API tokens.”
CVE-2023-40932, on the other hand, relates to a cross-site scripting (XSS) flaw in the Custom Logo component that could be used to read sensitive data, including cleartext passwords from the login page.
The list of flaws is described below –
- CVE-2023-40931 – SQL Injection in Banner acknowledging endpoint
- CVE-2023-40932 – Cross-Site Scripting in Custom Logo Component
- CVE-2023-40933 – SQL Injection in Announcement Banner Settings
- CVE-2023-40934 – SQL Injection in Host/Service Escalation in the Core Configuration Manager (CCM)
Successful exploitation of the three SQL injection vulnerabilities could permit an authenticated attacker to execute arbitrary SQL commands, while the XSS bug could be exploited to inject arbitrary JavaScript and read and modify page data.
This is not the first time security issues have been uncovered in Nagios XI. In 2021, Skylight Cyber and Claroty discovered as many as two dozen flaws that could be abused to hijack the infrastructure and achieve remote code execution.
