Security Issue detected

[wagnbeu0]

I got a security information letter from my IT SEC Department today. It states that my nagios has a security issue. But I already patched to Nagiox XI 5.6.7

Do I have to patch some files manually?

GET /nagiosql/admin/commandline.php?cname='%20union%20select%20concat(0x7e7e7e;user();0x7e7e7e)%23 HTTP/1.1
Host: xxx
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Nagios XI SQL Injection vulnerability detected on port: 443
<!DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN>
<html>
<head>
<title>Commandline</title>
<meta http-equiv=Content-Type content=text/html; charset=utf-8>
<style type=text/css>
<!--
body {
font-family: Verdana; Arial; Helvetica; sans-serif;
font-size: 12px;
color: 000000;
/*background-color: EDF5FF;*/
margin: 3px;
border: none;
}
-->
</style>
</head>
<body>
~~~nagiosql@localhost~~~ <script type=text/javascript language=javascript>
<!--
parent.argcount = 0;
//-->
</script>
</body>
</html>-CR-
---------- ---------- ----------
Port: 443/tcp
Layer: Application
References: Qualys Knowledgebase:
https://ipinsplus.siemens.com/pub/QIDsearch?id=011992

Bugtraq List:
104189, http://www.securityfocus.com/bid/104189
Generic Remediation Instructions: Update to Nagios XI 5.4.13 or above from here

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Nagios XI

Generic Vulnerability Description:
Powerful Monitoring Engine Nagios XI uses the powerful Nagios Core 4 monitoring engine to provide users with efficient, scalable monitoring.

Updated Web Interface Your new dashboard provides a customization high-level overview of hosts, services, and network devices.
CVE-2018-10738 - menuaccess.php SQL injection
CVE-2018-10737 - logbook.php SQL injection
CVE-2018-10736 - info.php SQL injection
CVE-2018-10735 - commandline.php SQL injection

Affected Versions:
Nagios XI 5.2.x
Nagios XI 5.4.x before 5.4.13

QID Detection logic:(Unauthenticated)
It tries to perform SQL Injection to check for vulnerable versions of Nagios XI

Consequences:
Successful SQL Injection by an attacker can result in exposure of sensitive information.

[wagnbeu0]

I also got the information that there might be a nagios core instance run on the same host which is true. But the installation is coming from the XI installation:

https://servername/nagiosql/index.php


The login screen tells me that the Nagios XI admin can reset my credentials. So how can I patch this piece of software?

[scottwilkerson]

Both of these could be related. the nagiosql path you show was removed in recent version and you can safely remove the following directory if you are on the latest XI which will likely solve the detected security issue.

Code: Select all

rm -rf /usr/local/nagiosql

[wagnbeu0]

Hi, the folder does not exist

all I have is:

Code: Select all

[root@erlh2c8x local]# ls -l /usr/local/
nagios
NAGIOS_BAK
nagiosmobile
NAGIOSMOBILE_BAK
nagiosxi
NAGIOSXI_BAK
nagvis
nagvis.old-2018-07-12_10:10:47
nagvis.old-2019-04-24_07:36:54

I only found this:

Code: Select all

[root@erlh2c8x local]# find . -name nagiosql
./NAGIOSXI_BAK/tmp/nagiosxi/nagiosxi/basedir/html/includes/components/nagiosql
./NAGIOSXI_BAK/tmp/nagiosxi/subcomponents/nagiosql
./NAGIOSXI_BAK/html/includes/components/nagiosql
./nagiosxi/html/includes/components/nagiosql

[scottwilkerson]

That is strange that you would have this location on your server

Code: Select all

https://servername/nagiosql/index.php

Can you show the output of the following

Code: Select all

grep -R nagiosql /etc/httpd/conf.d