CVE-2018-25121
📋 TL;DR
Nagios XI versions before 5.4.13 contain a cross-site scripting (XSS) vulnerability in the Views page of the web interface. Attackers can inject malicious scripts that execute in victims' browsers when they visit the compromised page. This affects all Nagios XI administrators and users who access the Views page.
💻 Affected Systems
- Nagios XI
📦 What is this software?
Nagios Xi by Nagios
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal administrator session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially leading to full system compromise if combined with other vulnerabilities.
Likely Case
Session hijacking, credential theft, or defacement of the Nagios XI interface through injected content.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, though some risk remains for users with active sessions.
🎯 Exploit Status
Exploitation requires user interaction (victim visiting the malicious Views page) and may depend on specific input validation bypass techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.4.13
Vendor Advisory: https://www.nagios.com/changelog/nagios-xi/
Restart Required: No
Instructions:
1. Backup your Nagios XI configuration. 2. Download and install Nagios XI version 5.4.13 or later from the official Nagios website. 3. Follow the upgrade instructions provided in the Nagios XI documentation. 4. Verify the upgrade was successful by checking the version in the web interface.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement strict input validation and output encoding for user-supplied data in the Views page to prevent script injection.
🧯 If You Can't Patch
- Restrict access to the Nagios XI web interface to trusted IP addresses only.
- Implement a web application firewall (WAF) with XSS protection rules.
🔍 How to Verify
Check if Vulnerable:
Check the Nagios XI version in the web interface under 'Help' > 'About'. If the version is below 5.4.13, the system is vulnerable.Check Version:
grep 'nagios_version' /usr/local/nagiosxi/var/xiversionVerify Fix Applied:
After upgrading, confirm the version is 5.4.13 or higher and test the Views page for script injection by attempting to input malicious payloads (in a controlled environment).📡 Detection & Monitoring
Log Indicators:
- Unusual or malicious script tags in web server logs for the Views page (e.g., /nagiosxi/views/).
- Multiple failed login attempts followed by access to the Views page.
Network Indicators:
- HTTP requests containing script injection payloads to the Nagios XI Views page.
SIEM Query:
source="web_server_logs" AND uri="/nagiosxi/views/" AND (payload="<script>" OR payload="javascript:")