CVE-2011-10035 – This CVE describes a local privilege escalation... (How to Fix)

Q: What is the severity of CVE-2011-10035?

CVE-2011-10035 has a CVSS score of 7.0 (HIGH). This CVE describes a local privilege escalation vulnerability in Nagios XI where low-privileged users can exploit race conditions during crontab installation/update scripts. Attackers can manipulate filesystem state to execute arbitrary commands with elevated privileges. Only affects Nagios XI installations with local user access prior to version 2011R1.9.

📋 TL;DR

This CVE describes a local privilege escalation vulnerability in Nagios XI where low-privileged users can exploit race conditions during crontab installation/update scripts. Attackers can manipulate filesystem state to execute arbitrary commands with elevated privileges. Only affects Nagios XI installations with local user access prior to version 2011R1.9.

💻 Affected Systems

Products:

Nagios XI

Versions: All versions prior to 2011R1.9

Operating Systems: Linux systems running Nagios XI

Default Config Vulnerable: ⚠️ Yes

Notes: Requires local user access to the Nagios XI server. All default installations of affected versions are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains root privileges, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement.

🟠

Likely Case

Local user escalates to root or administrative privileges, allowing monitoring system manipulation, credential harvesting, and further privilege abuse.

🟢

If Mitigated

With proper access controls and patching, impact limited to denial of service or minimal privilege escalation if exploitation fails.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring authenticated local access, not remotely exploitable.

🏢 Internal Only: HIGH - Any local user account (including low-privileged service accounts) can potentially exploit this to gain root access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and understanding of race condition timing. Public exploit details exist in vulnerability reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2011R1.9 and later

Vendor Advisory: https://www.nagios.com/changelog/nagios-xi/

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download Nagios XI 2011R1.9 or later from Nagios website. 3. Follow official upgrade instructions. 4. Restart Nagios services. 5. Verify version update.

🔧 Temporary Workarounds

Restrict local user access

linux

Limit local user accounts on Nagios XI servers to only necessary administrative users

# Review and remove unnecessary local users
sudo userdel <unnecessary_user>
# Restrict SSH access to admin users only

File permission hardening

linux

Set strict permissions on crontab installation scripts and directories

sudo chmod 750 /usr/local/nagiosxi/scripts/*
sudo chown root:root /usr/local/nagiosxi/scripts/*
sudo chmod 644 /etc/cron.d/nagiosxi

🧯 If You Can't Patch

Implement strict access controls to prevent local user access to Nagios XI servers
Monitor for suspicious privilege escalation attempts and file modifications in crontab directories

🔍 How to Verify

Check if Vulnerable:

Check Nagios XI version: grep 'nagios_version' /usr/local/nagiosxi/html/config.inc.php | grep -E '2011R1\.(0-8)'

Check Version:

grep 'nagios_version' /usr/local/nagiosxi/html/config.inc.php

Verify Fix Applied:

Verify version is 2011R1.9 or later: grep 'nagios_version' /usr/local/nagiosxi/html/config.inc.php

📡 Detection & Monitoring

Log Indicators:

Unusual crontab modifications by non-root users
Multiple rapid file operations in /etc/cron.d/ or Nagios script directories
Failed privilege escalation attempts in system logs

Network Indicators:

None - local exploitation only

SIEM Query:

source="syslog" AND ("crontab" OR "/etc/cron.d/") AND user!="root" AND (action="modify" OR action="create")

📊 Metadata

CVE ID: CVE-2011-10035

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-367

EPSS Score: 0.02% exploit probability (3.2th percentile)

Published: October 30, 2025

Last Updated: November 6, 2025

🔗 References

https://www.nagios.com/changelog/nagios-xi/ Release Notes
https://www.vulncheck.com/advisories/nagios-xi-race-conditions-in-crontab-install-script-lpe Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2011-10035, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Nagios Xi by Nagios

Nagios Xi by Nagios

Nagios Xi by Nagios

Nagios Xi by Nagios

Nagios Xi by Nagios

Nagios Xi by Nagios

Nagios Xi by Nagios

Nagios Xi by Nagios

Nagios Xi by Nagios

Nagios Xi by Nagios

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict local user access

File permission hardening

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities