We have Nagios XI 2014R2.7, XI 5.2.3, and XI 5.4.8 installed on Redhat servers (RHEL6.10, RHEL 7.6). The following security vulnerabilities have been disclosed:
1) CVE-2021-37343 (CVSS score: 8.8) - A path traversal vulnerability exists in Nagios XI below version 5.8.5 Autodiscover component and could lead to post-authenticated RCE under the security context of the user running Nagios.
2) CVE-2021-37346 (CVSS score: 9.8) - Nagios XI WatchGuard Wizard before version 1.4.8 is vulnerable to remote code execution through Improper neutralization of special elements used in an OS Command (OS Command injection).
3) CVE-2021-37344 (CVSS score: 9.8) - Nagios XI Switch Wizard before version 2.5.7 is vulnerable to remote code execution through improper neutralization of special elements used in an OS Command (OS Command injection).
Are there any fixes/patches to address these security vulnerabilities? How can we verify these security vulnerabilities and/or identify Autodiscover component, Nagios XI WatchGuard Wizard, and Nagios XI Switch Wizard, if these component and Wizards apply/impact to our Nagios XI servers with different version?
CVE-2021-37343, CVE-2021-37346, CVE-2021-37344
Re: CVE-2021-37343, CVE-2021-37346, CVE-2021-37344
I just verified that our Nagios XI servers do not use Auto-discover, WatchGuard Wizard , and Switch and Router Wizard. So our Nagios XI is not impacted by these CVEs.
Re: CVE-2021-37343, CVE-2021-37346, CVE-2021-37344
You would need to upgrade to the latest to be fully protected.
See here:
https://www.nagios.com/products/security/
https://www.nagios.com/security-faq/
If you are sure you are not using them you can move the config wizards out to make them inaccessible to be protected:
See here:
https://www.nagios.com/products/security/
https://www.nagios.com/security-faq/
If you are sure you are not using them you can move the config wizards out to make them inaccessible to be protected:
Code: Select all
mkdir /root/xi_configwizard_backup
mv /usr/local/nagiosxi/html/includes/configwizards/autodiscovery /root/xi_configwizard_backup/
mv /usr/local/nagiosxi/html/includes/configwizards/watchguard /root/xi_configwizard_backup/
mv /usr/local/nagiosxi/html/includes/configwizards/switch /root/xi_configwizard_backup/Re: CVE-2021-37343, CVE-2021-37346, CVE-2021-37344
@ssax, thanks for the response and recommendation.
So, even we do not use/configure them at all, it would still be a vulnerability issue if we leave them in /usr/local/nagiosxi/html/includes/configwizards as is? Assuming nobody will touch (configure) them via the Nagios XI Web Interface (GUI), even though they are listed under "Configure->Configuration Wizards".
So, even we do not use/configure them at all, it would still be a vulnerability issue if we leave them in /usr/local/nagiosxi/html/includes/configwizards as is? Assuming nobody will touch (configure) them via the Nagios XI Web Interface (GUI), even though they are listed under "Configure->Configuration Wizards".
Re: CVE-2021-37343, CVE-2021-37346, CVE-2021-37344
Correct, the attack utilizes them if they exist.
Re: CVE-2021-37343, CVE-2021-37346, CVE-2021-37344
@ssax, thank you!
-
benjaminsmith
- Posts: 5324
- Joined: Wed Aug 22, 2018 4:39 pm
- Location: saint paul
Re: CVE-2021-37343, CVE-2021-37346, CVE-2021-37344
Hi,
Did you have any other questions or shall we close this topic? Let us know when you have a minute
--Benjamin
Did you have any other questions or shall we close this topic? Let us know when you have a minute
--Benjamin
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: CVE-2021-37343, CVE-2021-37346, CVE-2021-37344
Please close it. Thanks!