CVE-2020-28906 – This vulnerability allows low-privileged users ... (How to Fix)

Q: What is the severity of CVE-2020-28906?

CVE-2020-28906 has a CVSS score of 8.8 (HIGH). This vulnerability allows low-privileged users in Nagios XI and Nagios Fusion to modify files that are later executed with root privileges, enabling privilege escalation to root. It affects Nagios XI 5.7.5 and earlier and Nagios Fusion 4.1.8 and earlier. Attackers with authenticated low-privilege access can gain full system control.

📋 TL;DR

This vulnerability allows low-privileged users in Nagios XI and Nagios Fusion to modify files that are later executed with root privileges, enabling privilege escalation to root. It affects Nagios XI 5.7.5 and earlier and Nagios Fusion 4.1.8 and earlier. Attackers with authenticated low-privilege access can gain full system control.

💻 Affected Systems

Products:

Nagios XI
Nagios Fusion

Versions: Nagios XI ≤ 5.7.5, Nagios Fusion ≤ 4.1.8

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations within affected version ranges are vulnerable. Requires authenticated low-privilege access.

📦 What is this software?

Fusion by Nagios

View all CVEs affecting Fusion →

Nagios Xi by Nagios

View all CVEs affecting Nagios Xi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root access, allowing installation of persistent backdoors, data theft, and lateral movement across the network.

🟠

Likely Case

Privilege escalation from low-privileged user to root, enabling full control of the Nagios server and potential access to monitored systems.

🟢

If Mitigated

Limited impact if proper access controls, file integrity monitoring, and least privilege principles are enforced.

🌐 Internet-Facing: HIGH if Nagios web interface is exposed to internet and attackers can obtain low-privilege credentials.

🏢 Internal Only: HIGH as authenticated low-privilege users (including compromised accounts) can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated access but is straightforward to execute. Public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Nagios XI 5.7.6+, Nagios Fusion 4.1.9+

Vendor Advisory: https://www.nagios.com/downloads/nagios-xi/change-log/

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download latest version from Nagios website. 3. Follow upgrade instructions for your version. 4. Restart Nagios services.

🔧 Temporary Workarounds

Restrict file permissions

linux

Manually adjust permissions on files that are sourced by root-executed scripts to prevent low-privileged users from modifying them.

find /usr/local/nagiosxi -type f -name '*.sh' -o -name '*.php' -o -name '*.inc' | xargs chmod 644
find /usr/local/nagiosxi -type f -name '*.cfg' | xargs chmod 640

Implement strict access controls

all

Limit low-privileged user access to Nagios administration interfaces and implement strong authentication.

🧯 If You Can't Patch

Implement strict least privilege access controls for Nagios users
Deploy file integrity monitoring on Nagios configuration and script files

🔍 How to Verify

Check if Vulnerable:

Check Nagios version: For Nagios XI: cat /usr/local/nagiosxi/var/xiversion; For Nagios Fusion: cat /usr/local/nagiosfusion/var/fusionversion

Check Version:

cat /usr/local/nagiosxi/var/xiversion 2>/dev/null || cat /usr/local/nagiosfusion/var/fusionversion 2>/dev/null

Verify Fix Applied:

Verify version is above vulnerable range: Nagios XI ≥ 5.7.6 or Nagios Fusion ≥ 4.1.9

📡 Detection & Monitoring

Log Indicators:

Unexpected modifications to Nagios configuration files
Privilege escalation attempts in system logs
Unauthorized root access from Nagios user accounts

Network Indicators:

Unusual outbound connections from Nagios server
Suspicious authentication patterns to Nagios web interface

SIEM Query:

source="nagios.log" AND (event="file_modified" OR event="privilege_escalation")

📊 Metadata

CVE ID: CVE-2020-28906

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-276

Published: May 24, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/162783/Nagios-XI-Fusion-Privilege-Escalation-Cross-Site-Scripting-Code-Execution.html Third Party Advisory,VDB Entry
https://skylightcyber.com/2021/05/20/13-nagios-vulnerabilities-7-will-shock-you/ Third Party Advisory
https://www.nagios.com/downloads/nagios-xi/change-log/ Release Notes,Vendor Advisory
http://packetstormsecurity.com/files/162783/Nagios-XI-Fusion-Privilege-Escalation-Cross-Site-Scripting-Code-Execution.html Third Party Advisory,VDB Entry
https://skylightcyber.com/2021/05/20/13-nagios-vulnerabilities-7-will-shock-you/ Third Party Advisory
https://www.nagios.com/downloads/nagios-xi/change-log/ Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28906, you might also want to check these: