CVE-2020-36862
📋 TL;DR
Nagios XI versions before 5.6.11 have unauthenticated vulnerabilities in the Highcharts export tool. Attackers can inject malicious scripts into exported content (XSS) and force the server to access internal URLs (SSRF). This affects all Nagios XI installations using vulnerable versions, exposing them to client-side attacks and potential internal network reconnaissance.
💻 Affected Systems
- Nagios XI
📦 What is this software?
Nagios Xi by Nagios
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals admin session cookies via XSS, gains full Nagios XI control, then uses SSRF to pivot to internal systems, potentially accessing sensitive data or internal services.
Likely Case
Attacker performs reflected XSS to steal user sessions or credentials, and uses SSRF to scan internal network services or access metadata services.
If Mitigated
With proper network segmentation and WAF rules, impact limited to XSS affecting individual users viewing malicious exports.
🎯 Exploit Status
Exploitation requires crafting specific export requests but doesn't require authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.6.11
Vendor Advisory: https://www.nagios.com/changelog/nagios-xi/
Restart Required: No
Instructions:
1. Backup current Nagios XI installation. 2. Download Nagios XI 5.6.11 or later from Nagios customer portal. 3. Follow official upgrade instructions for your platform. 4. Verify upgrade completed successfully.
🔧 Temporary Workarounds
Disable Highcharts Export
allTemporarily disable the vulnerable Highcharts export functionality
Edit Nagios XI configuration to remove or disable Highcharts export module
Network Access Control
allRestrict access to Nagios XI export endpoints via firewall or WAF
Configure firewall rules to block external access to /nagiosxi/export endpoints
🧯 If You Can't Patch
- Implement strict WAF rules to block malicious export requests and SSRF attempts
- Segment Nagios XI server to prevent SSRF access to critical internal resources
🔍 How to Verify
Check if Vulnerable:
Check Nagios XI version via Admin > System Config > About page or command: cat /usr/local/nagiosxi/var/xiversionCheck Version:
cat /usr/local/nagiosxi/var/xiversionVerify Fix Applied:
Confirm version is 5.6.11 or higher and test export functionality with safe test payloads📡 Detection & Monitoring
Log Indicators:
- Unusual export requests with script tags or external URLs in Nagios XI logs
- Multiple failed export attempts from single IP
Network Indicators:
- HTTP requests to /nagiosxi/export with suspicious parameters
- Outbound connections from Nagios XI server to unexpected internal IPs
SIEM Query:
source="nagiosxi.log" AND ("export" AND ("script" OR "http://" OR "https://"))