CVE-2020-35578 – CVE-2020-35578 is an OS command injection vulne... (How to Fix)

Q: What is the severity of CVE-2020-35578?

CVE-2020-35578 has a CVSS score of 7.2 (HIGH). CVE-2020-35578 is an OS command injection vulnerability in Nagios XI's Manage Plugins page that allows authenticated admin users to execute arbitrary operating system commands during plugin upload. This affects Nagios XI versions before 5.8.0. Attackers with admin credentials can achieve remote code execution on the Nagios XI server.

📋 TL;DR

CVE-2020-35578 is an OS command injection vulnerability in Nagios XI's Manage Plugins page that allows authenticated admin users to execute arbitrary operating system commands during plugin upload. This affects Nagios XI versions before 5.8.0. Attackers with admin credentials can achieve remote code execution on the Nagios XI server.

💻 Affected Systems

Products:

Nagios XI

Versions: All versions before 5.8.0

Operating Systems: Linux (all supported distributions)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated admin user access to the Manage Plugins page. The vulnerability is present in the line-ending conversion feature during plugin upload.

📦 What is this software?

Nagios Xi by Nagios

View all CVEs affecting Nagios Xi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Nagios XI server, allowing attackers to execute arbitrary commands as the Nagios user, potentially leading to lateral movement, data exfiltration, or installation of persistent backdoors.

🟠

Likely Case

Authenticated attackers with admin privileges gain remote code execution on the Nagios XI server, enabling them to manipulate monitoring data, disrupt monitoring services, or use the server as a pivot point.

🟢

If Mitigated

Limited impact due to proper access controls, network segmentation, and monitoring that detects unusual plugin uploads or command execution.

🌐 Internet-Facing: HIGH if Nagios XI is exposed to the internet with admin accounts accessible, as authenticated attackers can exploit remotely.

🏢 Internal Only: HIGH for internal networks, as authenticated admin users (including compromised accounts) can exploit the vulnerability from within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Multiple public exploit scripts are available on Packet Storm Security. Exploitation requires admin credentials but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.8.0 and later

Vendor Advisory: https://www.nagios.com/downloads/nagios-xi/change-log/

Restart Required: Yes

Instructions:

1. Backup your Nagios XI configuration and data. 2. Download Nagios XI 5.8.0 or later from the official Nagios website. 3. Follow the upgrade instructions in the Nagios XI documentation. 4. Restart Nagios XI services after upgrade.

🔧 Temporary Workarounds

Restrict Admin Access

all

Limit admin user accounts to only trusted personnel and implement strong authentication controls.

Disable Plugin Uploads

linux

Temporarily disable plugin upload functionality in the Manage Plugins page if not required.

🧯 If You Can't Patch

Implement strict network segmentation to isolate Nagios XI from critical systems.
Enhance monitoring of Nagios XI logs for unusual plugin uploads or command execution patterns.

🔍 How to Verify

Check if Vulnerable:

Check Nagios XI version via the web interface (Help > About) or command line: grep 'nagiosxi_version' /usr/local/nagiosxi/var/xiversion

Check Version:

grep 'nagiosxi_version' /usr/local/nagiosxi/var/xiversion

Verify Fix Applied:

Verify version is 5.8.0 or higher using the same commands. Test plugin upload functionality to ensure proper validation.

📡 Detection & Monitoring

Log Indicators:

Unusual plugin uploads in /usr/local/nagiosxi/var/components/profile*.log
Suspicious command execution in system logs

Network Indicators:

Unexpected outbound connections from Nagios XI server
Anomalous HTTP POST requests to plugin upload endpoints

SIEM Query:

source="nagiosxi" AND (event="plugin_upload" OR command_execution)

📊 Metadata

CVE ID: CVE-2020-35578

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: January 13, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/160948/Nagios-XI-5.7.x-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/162207/Nagios-XI-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://www.nagios.com/downloads/nagios-xi/change-log/ Release Notes,Vendor Advisory
https://www.nagios.com/products/security/ Vendor Advisory
http://packetstormsecurity.com/files/160948/Nagios-XI-5.7.x-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/162207/Nagios-XI-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://www.nagios.com/downloads/nagios-xi/change-log/ Release Notes,Vendor Advisory
https://www.nagios.com/products/security/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35578, you might also want to check these: