info@cirt.gov.bd
+88-02-550071 83-86
Facebook Page LinkedIn Page Twitter Page

Multiple OS command injection vulnerabilities in Nagios XI

by
17 Apr 2021
in Security Advisories & Alerts
No Comments
1658

Description:
CVE-2021-25296
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
Mitigation:
Upgrade the Windows WMI config wizard from Admin > Manage Config Wizards to version 2.2.3 or above.

CVE-2021-25297
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
Mitigation:
Upgrade the Switch config wizard from Admin > Manage Config Wizards to version 2.5.4 or above.

CVE-2021-25298
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
Mitigation:
Upgrade the Cloud-VM config wizard from Admin > Manage Config Wizards to version 1.0.4 or above.

Impact:
Base Score: 8.8 HIGH
OS command injection as the apache user through variables passed into the Config Wizard.

System Affected:
Nagios XI: 5.7.5

Mitigation: Updates are available. Please see the references or vendor advisory for more information.

Reference URL’s:
https://www.nagios.com/products/security/
https://assets.nagios.com/downloads/nagiosxi/versions.php
https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md
https://www.nagios.com
https://nvd.nist.gov/vuln/detail/CVE-2021-25296
https://nvd.nist.gov/vuln/detail/CVE-2021-25297
https://nvd.nist.gov/vuln/detail/CVE-2021-25298

Share

Recommended Posts