CVE-2020-36863
📋 TL;DR
This vulnerability allows authenticated attackers to upload PHP files to Nagios XI's Audio Import directory and execute them, leading to remote code execution. It affects Nagios XI versions before 5.7.2. Attackers need access to the audio import feature to exploit this.
💻 Affected Systems
- Nagios XI
📦 What is this software?
Nagios Xi by Nagios
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with application service privileges, allowing attackers to execute arbitrary commands, access sensitive data, and pivot to other systems.
Likely Case
Unauthorized file upload leading to web shell deployment, data exfiltration, and potential lateral movement within the network.
If Mitigated
Limited impact with proper file upload restrictions and directory permissions preventing PHP execution.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.7.2
Vendor Advisory: https://www.nagios.com/changelog/nagios-xi/
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download Nagios XI 5.7.2 or later from official sources. 3. Follow Nagios XI upgrade instructions. 4. Restart Nagios XI services.
🔧 Temporary Workarounds
Restrict PHP execution in upload directory
linuxPrevent PHP file execution in the Audio Import directory using web server configuration.
For Apache: Add 'php_flag engine off' to .htaccess in audio import directory
For Nginx: Add 'location ~ \.php$ { deny all; }' to server block
Remove execute permissions
linuxRemove execute permissions from the Audio Import directory.
chmod -R -x /usr/local/nagiosxi/html/includes/components/audioplayer/audio_import/
🧯 If You Can't Patch
- Restrict access to Nagios XI to trusted networks only using firewall rules.
- Implement strict authentication controls and monitor for unauthorized file uploads.
🔍 How to Verify
Check if Vulnerable:
Check Nagios XI version via web interface or command: cat /usr/local/nagiosxi/var/xiversionCheck Version:
cat /usr/local/nagiosxi/var/xiversionVerify Fix Applied:
Confirm version is 5.7.2 or higher and test that PHP files cannot be uploaded/executed in audio import directory.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to audio import directory
- PHP file execution attempts in non-standard locations
Network Indicators:
- HTTP POST requests to audio import endpoints with PHP files
- Unexpected outbound connections from Nagios server
SIEM Query:
source="nagios" AND (url="*audio_import*" AND method="POST")