New security Vulnerabilities

[essrichard]

In our quarterly Nessus Vulnerability scan which is required by PCI, our new Nagios XI server was found with several security vulnerabilities. All of these vulnerabilities are showing to be on TCP port 443 of our Nagios XI server. We have already updated to Nagios XI 5.2.2.

1. CGI Generic Cookie Injection Scripting
Synopsis: The remote web server is prone to cookie injection attacks.
Description: The remote web server hosts at least one CGI script that fails to adequately sanitize request strings with malicious JavaScript. By leveraging this issue, an attacker may be able to inject arbitrary
cookies. Depending on the structure of the web application, it may be possible to launch a 'session fixation' attack using this mechanism.

2. CGI Generic HTML Injections (quick test)
Synopsis: The remote web server may be prone to HTML injections.
Description: The remote web server hosts CGI scripts that fail to adequately sanitize request strings with malicious JavaScript. The remote web server may be vulnerable to IFRAME injections or cross-site scripting attacks

3. CGI Generic XSS (extended patterns)
Synopsis: The remote web server is prone to cross-site scripting attacks.
Description: The remote web server hosts one or more CGI scripts that fail to adequately sanitize request strings with malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML
and script code to be executed in a user's browser within the security context of the affected site. These XSS vulnerabilities are likely to be 'non-persistent' or 'reflected'."

4. Web Application Potentially Vulnerable to Clickjacking
Synopsis: The remote web server may fail to mitigate a class of web application vulnerabilities.
Description: The remote web server does not set an X-Frame-Options response header in all content responses. This could potentially expose the site to a clickjacking or UI Redress attack wherein an attacker can trick a user into clicking an area of the vulnerable page that is different than what the user perceives the page to be. This can result in a user performing fraudulent or malicious transactions.
X-Frame-Options has been proposed by Microsoft as a way to mitigate clickjacking attacks and is currently supported by all major browser vendors.

Please advise on the method to correct these issues, or if these will be corrected in a future update. Otherwise we will need an official response document from Nagios outlining why these items are false positives and/or why your product is not affected by these vulnerabilities.
Thanks!

[tmcdonald]

Did the scan give any details as to the affected pages? It will be incredibly difficult to pinpoint/verify any of these results without more details. You can PM myself or our generic Nagios Support account if you want to send the report.

I will say that the CGI stuff has to be a Core issue, and the "Potentially Vulnerable" reports should always be taken with a grain of salt.

[essrichard]

The full details have been uploaded to a spreadsheet here for you to download: https://extraspacestorage.box.com/nagiosxi
You can find the specific pages and items in question under the "Plugin output" column
"Potentially Vulnerable" is still a medium priority item and still needs to be addressed with the other items. We need a confirmation that it is NOT vulnerable if that is the case.

[tmcdonald]

Just spent some time with this and while the exact XSS strings did not work as reported, I was able to replicate them on the login page. I spoke with our dev manager about this and he's working on a fix for this as well as the clickjacking.

I can't say we'll be able to get a fix out today since it would need to be tested, and we're out the rest of this week on U.S. holidays. What's the time frame for your PCI compliance?

[essrichard]

Will you be able to get these items addressed by next week?

[Box293]

It's currently Thanksgiving holidays in the USA and the support office is closed. I would not expect a reply until next week.

[tmcdonald]

We can feasibly get this tested tomorrow. We had a ton of catch-up from the long weekend and this is on the list. I'll pin it in my browser so it bugs me until I get it done, and report back.

[tmcdonald]

The XSS seems pretty well-filtered, and we added some code to bust out of iframes if it is detected that we are in one. Granted, I did not perform a full pentest against the application, however from my testing it appears the reported vulnerabilities have been addressed. I can't say whether your Nessus scan will accept Javascript as a mitigation however, as most automated scanners don't go that in-depth.

[essrichard]

So from what you can see, all four vulnerabilities should be addressed in the next release? When can we expect it to be available for us to update our Nagios XI server?

[tmcdonald]

We're doing our release testing today and tomorrow which usually means a release is right around the corner. Can't guarantee a date since that's up to the devs and the results of our testing, but I would imagine early next week would be a reasonable estimate. From my testing of these issues specifically they should all be fixed, but Nessus might still complain about the Clickjacking thing. We fixed the escaping of the username so XSS shouldn't be a problem.