Nagios XI, a network and IT infrastructure monitoring solution, has been found to have four vulnerabilities, identified as CVE-2023-40931, CVE-2023-40932, CVE-2023-40933, and CVE-2023-40934. These vulnerabilities could potentially lead to information disclosure and privilege escalation. Nagios XI is a critical infrastructure component monitoring tool used by thousands of organizations globally.
The vulnerabilities were discovered by Astrid Tedenbrant, a researcher at Outpost24, during routine research. The flaws affect Nagios XI version 5.11.1 and earlier versions. The vulnerabilities CVE-2023-40931, CVE-2023-40933, and CVE-2023-40934 are related to SQL Injection issues. An attacker could exploit these vulnerabilities to escalate privileges in the product and gain access to sensitive user data, such as password hashes and API tokens.
The fourth vulnerability, CVE-2023-40932, is a cross-site scripting flaw within the Custom Logo component. This vulnerability could be exploited by an attacker to read and modify page data, including plain-text passwords from login forms. In a post published by Outpost24, it was stated, “Three of these vulnerabilities (CVE-2023-40931, CVE-2023-40933 and CVE-2023-40934) allow users, with various levels of privileges, to access database fields via SQL Injections. The data obtained from these vulnerabilities may be used to further escalate privileges in the product and obtain sensitive user data such as password hashes and API tokens.” The post also stated, “The fourth vulnerability (CVE-2023-40932) allows Cross-Site Scripting via the Custom Logo component, which will render on every page, including the login page. This may be used to read and modify page data, such as plain-text passwords from login forms.”
Nagios addressed these vulnerabilities on September 11, 2023, with the release of version 5.11.2. It's worth noting that in September 2021, researchers from the industrial cybersecurity firm Claroty discovered eleven vulnerabilities in Nagios. These vulnerabilities could lead to server-side request forgery (SSRF), spoofing, local privilege escalation, remote code execution, and information disclosure.