CVE-2020-28910 – This vulnerability in Nagios XI 5.7.5 and earli... (How to Fix)

Q: What is the severity of CVE-2020-28910?

CVE-2020-28910 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Nagios XI 5.7.5 and earlier allows local attackers to escalate privileges by exploiting insecure temporary directory permissions in getprofile.sh. Attackers can create symbolic links that lead to privilege escalation when the script executes. This affects all Nagios XI installations running vulnerable versions.

📋 TL;DR

This vulnerability in Nagios XI 5.7.5 and earlier allows local attackers to escalate privileges by exploiting insecure temporary directory permissions in getprofile.sh. Attackers can create symbolic links that lead to privilege escalation when the script executes. This affects all Nagios XI installations running vulnerable versions.

💻 Affected Systems

Products:

Nagios XI

Versions: 5.7.5 and earlier

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. The vulnerability is in the getprofile.sh script which handles temporary directories.

📦 What is this software?

Nagios Xi by Nagios

View all CVEs affecting Nagios Xi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root privileges, allowing complete control over the Nagios server and potentially lateral movement to other systems.

🟠

Likely Case

Local privilege escalation from a low-privileged user to root, enabling installation of backdoors, data theft, and further system manipulation.

🟢

If Mitigated

Limited impact if proper file permissions and access controls prevent unauthorized users from accessing the system or creating symlinks.

🌐 Internet-Facing: MEDIUM - While exploitation requires local access, internet-facing Nagios servers could be compromised through other initial access vectors.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts can easily exploit this to gain root privileges on affected systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to the system. The vulnerability is well-documented with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.7.6 and later

Vendor Advisory: https://www.nagios.com/downloads/nagios-xi/change-log/

Restart Required: No

Instructions:

1. Backup your Nagios XI configuration. 2. Download the latest version from Nagios website. 3. Follow the upgrade instructions in the Nagios XI documentation. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Secure Temporary Directory Permissions

linux

Manually secure the temporary directory permissions to prevent symlink attacks

chmod 700 /tmp/nagiosxi_profile_tmp
chown root:root /tmp/nagiosxi_profile_tmp

🧯 If You Can't Patch

Restrict local user access to the Nagios server to only authorized administrators
Implement strict file integrity monitoring on the getprofile.sh script and temporary directories

🔍 How to Verify

Check if Vulnerable:

Check Nagios XI version: cat /usr/local/nagiosxi/var/xiversion

Check Version:

cat /usr/local/nagiosxi/var/xiversion

Verify Fix Applied:

Verify version is 5.7.6 or higher and check that getprofile.sh script has been updated

📡 Detection & Monitoring

Log Indicators:

Unusual symlink creation in /tmp directories
Multiple failed privilege escalation attempts
Suspicious activity from non-admin users in Nagios logs

Network Indicators:

Unusual outbound connections from Nagios server post-exploitation

SIEM Query:

source="nagios" AND (event="symlink_creation" OR event="privilege_escalation_attempt")

📊 Metadata

CVE ID: CVE-2020-28910

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-732

Published: May 24, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/162783/Nagios-XI-Fusion-Privilege-Escalation-Cross-Site-Scripting-Code-Execution.html Third Party Advisory,VDB Entry
https://skylightcyber.com/2021/05/20/13-nagios-vulnerabilities-7-will-shock-you/ Exploit,Third Party Advisory
https://www.nagios.com/downloads/nagios-xi/change-log/ Release Notes,Vendor Advisory
http://packetstormsecurity.com/files/162783/Nagios-XI-Fusion-Privilege-Escalation-Cross-Site-Scripting-Code-Execution.html Third Party Advisory,VDB Entry
https://skylightcyber.com/2021/05/20/13-nagios-vulnerabilities-7-will-shock-you/ Exploit,Third Party Advisory
https://www.nagios.com/downloads/nagios-xi/change-log/ Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28910, you might also want to check these: