CVE-2020-35269
📋 TL;DR
This CSRF vulnerability in Nagios Core 4.2.4 allows attackers to trick authenticated administrators into performing unauthorized actions like adding, deleting, or modifying hosts and servers. Anyone running the vulnerable Nagios Core version with web interface access is affected.
💻 Affected Systems
- Nagios Core
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of monitoring infrastructure - attackers could delete all monitoring targets, add malicious hosts, or disrupt monitoring entirely.
Likely Case
Unauthorized configuration changes leading to monitoring blind spots, false alerts, or service disruption.
If Mitigated
Limited impact if CSRF protections are implemented or administrative access is restricted.
🎯 Exploit Status
CSRF attacks are well-understood and easy to implement; requires victim to be logged into Nagios web interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.0 and later
Vendor Advisory: https://www.nagios.org/projects/nagios-core/history/4x/
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download Nagios Core 4.4.0 or later. 3. Follow upgrade instructions from Nagios documentation. 4. Restart Nagios service.
🔧 Temporary Workarounds
Implement CSRF Tokens
allAdd CSRF protection tokens to all administrative forms
Requires custom code modifications to Nagios Core
Restrict Web Interface Access
linuxLimit access to Nagios web interface using firewall rules or authentication proxies
iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_ip -j ACCEPT
🧯 If You Can't Patch
- Implement strict SameSite cookie policies and Content Security Policy headers
- Use browser extensions that block CSRF requests or require administrative actions to be confirmed via second factor
🔍 How to Verify
Check if Vulnerable:
Check Nagios Core version: grep 'nagios_version' /usr/local/nagios/var/log/nagios.log or check web interface footerCheck Version:
/usr/local/nagios/bin/nagios --versionVerify Fix Applied:
Verify version is 4.4.0 or higher and test CSRF protection by attempting to submit forms without proper tokens📡 Detection & Monitoring
Log Indicators:
- Unexpected configuration changes in nagios.cfg
- Unauthorized host/service additions/deletions in object configuration files
Network Indicators:
- CSRF attack patterns in web server logs
- Unexpected POST requests to administrative endpoints
SIEM Query:
source="nagios.log" AND ("configuration change" OR "modified" OR "added" OR "deleted") AND NOT user="authorized_admin"