Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

CVE-2021-37343, CVE-2021-37346, CVE-2021-37344

https://support.nagios.com/forum/viewtopic.php?t=63557

Page 1 of 1

CVE-2021-37343, CVE-2021-37346, CVE-2021-37344

Posted: Wed Sep 22, 2021 1:40 pm
by xlin125
We have Nagios XI 2014R2.7, XI 5.2.3, and XI 5.4.8 installed on Redhat servers (RHEL6.10, RHEL 7.6). The following security vulnerabilities have been disclosed:
1) CVE-2021-37343 (CVSS score: 8.8) - A path traversal vulnerability exists in Nagios XI below version 5.8.5 Autodiscover component and could lead to post-authenticated RCE under the security context of the user running Nagios.
2) CVE-2021-37346 (CVSS score: 9.8) - Nagios XI WatchGuard Wizard before version 1.4.8 is vulnerable to remote code execution through Improper neutralization of special elements used in an OS Command (OS Command injection).
3) CVE-2021-37344 (CVSS score: 9.8) - Nagios XI Switch Wizard before version 2.5.7 is vulnerable to remote code execution through improper neutralization of special elements used in an OS Command (OS Command injection).

Are there any fixes/patches to address these security vulnerabilities? How can we verify these security vulnerabilities and/or identify Autodiscover component, Nagios XI WatchGuard Wizard, and Nagios XI Switch Wizard, if these component and Wizards apply/impact to our Nagios XI servers with different version?

Re: CVE-2021-37343, CVE-2021-37346, CVE-2021-37344

Posted: Wed Sep 22, 2021 10:54 pm
by xlin125
I just verified that our Nagios XI servers do not use Auto-discover, WatchGuard Wizard , and Switch and Router Wizard. So our Nagios XI is not impacted by these CVEs.

Re: CVE-2021-37343, CVE-2021-37346, CVE-2021-37344

Posted: Thu Sep 23, 2021 11:27 am
by ssax
You would need to upgrade to the latest to be fully protected.

See here:

https://www.nagios.com/products/security/
https://www.nagios.com/security-faq/

If you are sure you are not using them you can move the config wizards out to make them inaccessible to be protected:

Code: Select all

mkdir /root/xi_configwizard_backup
mv /usr/local/nagiosxi/html/includes/configwizards/autodiscovery /root/xi_configwizard_backup/
mv /usr/local/nagiosxi/html/includes/configwizards/watchguard /root/xi_configwizard_backup/
mv /usr/local/nagiosxi/html/includes/configwizards/switch /root/xi_configwizard_backup/

Re: CVE-2021-37343, CVE-2021-37346, CVE-2021-37344

Posted: Thu Sep 23, 2021 4:30 pm
by xlin125
@ssax, thanks for the response and recommendation.

So, even we do not use/configure them at all, it would still be a vulnerability issue if we leave them in /usr/local/nagiosxi/html/includes/configwizards as is? Assuming nobody will touch (configure) them via the Nagios XI Web Interface (GUI), even though they are listed under "Configure->Configuration Wizards".

Re: CVE-2021-37343, CVE-2021-37346, CVE-2021-37344

Posted: Fri Sep 24, 2021 12:21 pm
by ssax
Correct, the attack utilizes them if they exist.

Re: CVE-2021-37343, CVE-2021-37346, CVE-2021-37344

Posted: Sun Sep 26, 2021 11:16 am
by xlin125
@ssax, thank you!

Re: CVE-2021-37343, CVE-2021-37346, CVE-2021-37344

Posted: Mon Sep 27, 2021 3:10 pm
by benjaminsmith
Hi,

Did you have any other questions or shall we close this topic? Let us know when you have a minute

--Benjamin

Re: CVE-2021-37343, CVE-2021-37346, CVE-2021-37344

Posted: Fri Oct 01, 2021 10:32 am
by xlin125
Please close it. Thanks!
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited