Security issue in Nagios XI 5.6.10

[hbouma]

This seems to have been brought up before on https://support.nagios.com/forum/viewto ... 16&t=56149, but I see no resolution there.

We are running Nagios XI 5.6.10 on RHEL 7 VMs. I have already verified that /usr/local/nagiosql doesn't exist on our server. Files instead seem to be in /var/www/html/nagiosql

Code: Select all

/var/www/html/nagiosql/admin]
$ ll
total 636K
drwxr-xr-x 2 apache apache 4.0K Jul 10  2018 .
drwxr-xr-x 8 apache apache 4.0K Jul 10  2018 ..
-rwxr-xr-x 1 apache apache 1.5K Jul 10  2018 administration.php
-rwxr-xr-x 1 apache apache 3.2K Jul 10  2018 alarming.php
-rwxr-xr-x 1 apache apache 4.9K Jul 10  2018 cgicfg.php
-rwxr-xr-x 1 apache apache  14K Jul 10  2018 checkcommands.php
-rwxr-xr-x 1 apache apache 2.4K Jul 10  2018 commandline.php
-rwxr-xr-x 1 apache apache 2.2K Jul 10  2018 commands.php
-rwxr-xr-x 1 apache apache  13K Jul 10  2018 contactgroups.php
-rwxr-xr-x 1 apache apache  28K Jul 10  2018 contacts.php
-rwxr-xr-x 1 apache apache  27K Jul 10  2018 contacttemplates.php
-rwxr-xr-x 1 apache apache 6.1K Jul 10  2018 delbackup.php
-rwxr-xr-x 1 apache apache  20K Jul 10  2018 domain.php
-rwxr-xr-x 1 apache apache 2.7K Jul 10  2018 download.php
-rwxr-xr-x 1 apache apache 1.6K Jul 10  2018 errorsite.php
-rwxr-xr-x 1 apache apache 6.1K Jul 10  2018 helpedit.php
-rwxr-xr-x 1 apache apache  18K Jul 10  2018 hostdependencies.php
-rwxr-xr-x 1 apache apache  18K Jul 10  2018 hostescalations.php
-rwxr-xr-x 1 apache apache  12K Jul 10  2018 hostextinfo.php
-rwxr-xr-x 1 apache apache  14K Jul 10  2018 hostgroups.php
-rwxr-xr-x 1 apache apache  38K Jul 10  2018 hosts.php
-rwxr-xr-x 1 apache apache  33K Jul 10  2018 hosttemplates.php
-rwxr-xr-x 1 apache apache  11K Jul 10  2018 import-new.php
-rwxr-xr-x 1 apache apache 8.7K Jul 10  2018 import.php
-rw-r--r-- 1 apache apache    0 Jul 10  2018 index.html
-rwxr-xr-x 1 apache apache 3.7K Jul 10  2018 info.php
-rwxr-xr-x 1 apache apache 5.0K Jul 10  2018 logbook.php
-rwxr-xr-x 1 apache apache 4.4K Jul 10  2018 menuaccess.php
-rwxr-xr-x 1 apache apache 4.0K Jul 10  2018 monitoring.php
-rwxr-xr-x 1 apache apache 1.7K Jul 10  2018 mutdialog.php
-rwxr-xr-x 1 apache apache 5.1K Jul 10  2018 nagioscfg.php
-rwxr-xr-x 1 apache apache 3.9K Jul 10  2018 password.php
-rwxr-xr-x 1 apache apache 1.6K Jul 10  2018 searchhosts.php
-rwxr-xr-x 1 apache apache  27K Jul 10  2018 servicedependencies.php
-rwxr-xr-x 1 apache apache  22K Jul 10  2018 serviceescalations.php
-rwxr-xr-x 1 apache apache  14K Jul 10  2018 serviceextinfo.php
-rwxr-xr-x 1 apache apache  14K Jul 10  2018 servicegroups.php
-rwxr-xr-x 1 apache apache  44K Jul 10  2018 services.php
-rwxr-xr-x 1 apache apache  36K Jul 10  2018 servicetemplates.php
-rwxr-xr-x 1 apache apache  12K Jul 10  2018 settings.php
-rwxr-xr-x 1 apache apache 4.1K Jul 10  2018 specials.php
-rwxr-xr-x 1 apache apache 8.6K Jul 10  2018 templatedefinitions.php
-rwxr-xr-x 1 apache apache 6.3K Jul 10  2018 timedefinitions.php
-rwxr-xr-x 1 apache apache  13K Jul 10  2018 timeperiods.php
-rwxr-xr-x 1 apache apache 1.5K Jul 10  2018 tools.php
-rwxr-xr-x 1 apache apache  12K Jul 10  2018 user.php
-rwxr-xr-x 1 apache apache 5.5K Jul 10  2018 variabledefinitions.php
-rwxr-xr-x 1 apache apache  14K Jul 10  2018 verify.php

Our IT Security department sent us a report regarding one of the servers:

QID:
11992
Category:
CGI
CVE ID:
CVE-2018-10738 CVE-2018-10737 CVE-2018-10736 CVE-2018-10735
Vendor Reference
CVE-2018-10738,CVE-2018-10737,CVE-2018-10736,CVE-2018-10735
Bugtraq ID:
104189
Service Modified:
12/11/2019
User Modified:
-
Edited:
No
PCI Vuln:
Yes
THREAT:
Powerful Monitoring Engine Nagios XI uses the powerful Nagios Core 4 monitoring engine to provide users with efficient, scalable monitoring.
Updated Web Interface Your new dashboard provides a customization high-level overview of hosts, services, and network devices.
CVE-2018-10738 - menuaccess.php SQL injection
CVE-2018-10737 - logbook.php SQL injection
CVE-2018-10736 - info.php SQL injection
CVE-2018-10735 - commandline.php SQL injection

Affected Versions:
Nagios XI 5.2.x
Nagios XI 5.4.x before 5.4.13
QID Detection logic:(Unauthenticated)
It tries to perform SQL Injection to check for vulnerable versions of Nagios XI

IMPACT:
Successful SQL Injection by an attacker can result in exposure of sensitive information.
SOLUTION:
Update to Nagios XI 5.4.13 or above from here If you are updating Nagios XI from older version to 5.4.13 or above. It is highly recommended to also update the nagiosql component to latest version.
Patch:
Following are links for downloading patches to fix the vulnerabilities:

Nagios XI

COMPLIANCE:
Not Applicable
EXPLOITABILITY:
Qualys
Reference:
CVE-2018-10738
Description:
Nagios XI SQL Injection vulnerability
Link:
https://www.seebug.org/vuldb/ssvid-97265
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RESULTS:
GET /nagiosql/admin/commandline.php?cname='%20union%20select%20concat(0x7e7e7e,user(),0x7e7e7e)%23 HTTP/1.1
Host: SERVERNAME.FQDN
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0



Nagios XI SQL Injection vulnerability detected on port: 443
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Commandline</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css">
<!--
body {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 12px;
color: #000000;
/*background-color: #EDF5FF;*/
margin: 3px;
border: none;
}
-->
</style>
</head>
<body>
~~~[email protected]~~~ <script type="text/javascript" language="javascript">
<!--
parent.argcount = 0;
//-->
</script>
</body>
</html>

[ssax]

What is the output of this command?

Code: Select all

rpm -qa | grep nagiosql

Technically, those can just be removed (because they are not used by us anymore) but I want to see if there's an RPM installed first:

Code: Select all

rm -rf /var/www/html/nagiosql

[hbouma]

When I run rpm -qa | grep nagiosql, no results are found.

[ssax]

Ok, just manually remove them then:

Code: Select all

rm -rf /var/www/html/nagiosql

[hbouma]

Thank you. I am testing this on our lower environment now.


It appears that this only exists on the servers that started out as version 5.4.X and were upgraded since then. Anything that started as version 5.5.X or newer doesn't seem to have this folder.

[ssax]

That is correct, there was a cutover in 5.5 from nagiosql to ccm on the backend (nagiosql is still the name of the DB though), I've only seen a handful of systems that still have those files on there.

[hbouma]

Thank you for your help. We have gone ahead and deleted these folders from our Nagios XI instances and everything seems to be working fine now.

[benjaminsmith]

Thank you for your help. We have gone ahead and deleted these folders from our Nagios XI instances and everything seems to be working fine now.

Hi Henry. Thanks for the update. We'll just leave this open for now if you have any more questions.

Benjamin

[Bwick05]

We upgraded from Nagios XI 5.4.0 to Nagios XI 5.6.13.

What is the action item if you find a package? Just uninstall the package or are their other actions?

[user@Server~]$ rpm -qa | grep nagiosql
nagiosxi-nagiosql-5-4.0.2.el7.x86_64

Bryce
Nagios XI 5.6.13

[ssax]

You should be able to run these commands:

Code: Select all

yum remove nagiosxi-nagiosql
\rm -rf /var/www/html/nagiosql
\rm -f /etc/httpd/conf.d/nagiosql.conf
service httpd restart