CVE-2020-36865
📋 TL;DR
This cross-site scripting vulnerability in Nagios XI allows attackers to inject malicious scripts into the BPI Config Management and Edit Config pages. When victims view these pages, the scripts execute in their browser context, potentially stealing session cookies or performing unauthorized actions. Organizations running Nagios XI versions before 5.7.2 are affected.
💻 Affected Systems
- Nagios XI
📦 What is this software?
Nagios Xi by Nagios
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals administrator session cookies, gains full administrative access to Nagios XI, and potentially compromises the monitoring infrastructure or uses it as a pivot point to internal networks.
Likely Case
Attacker steals user session cookies to gain unauthorized access to Nagios XI with the victim's privileges, potentially modifying monitoring configurations or accessing sensitive system information.
If Mitigated
Script execution is blocked by browser security features or web application firewalls, limiting impact to minor UI disruption.
🎯 Exploit Status
Exploitation requires authenticated access to create/modify BPI configurations and victim interaction with those configurations. No public exploit code available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.7.2 and later
Vendor Advisory: https://www.nagios.com/changelog/nagios-xi/
Restart Required: No
Instructions:
1. Backup current Nagios XI configuration. 2. Download Nagios XI 5.7.2 or later from Nagios customer portal. 3. Follow Nagios XI upgrade instructions for your platform. 4. Verify upgrade completed successfully.
🔧 Temporary Workarounds
Restrict BPI Configuration Access
allLimit access to BPI configuration pages to only necessary administrative users through role-based access controls.
Implement Content Security Policy
allDeploy CSP headers to restrict script execution sources and mitigate XSS impact.
🧯 If You Can't Patch
- Implement web application firewall with XSS protection rules
- Monitor for suspicious BPI configuration changes and user activity
🔍 How to Verify
Check if Vulnerable:
Check Nagios XI version via Admin > System Config > About page or run: cat /usr/local/nagiosxi/var/xiversionCheck Version:
cat /usr/local/nagiosxi/var/xiversionVerify Fix Applied:
Verify version is 5.7.2 or higher and test BPI configuration pages for proper input validation.📡 Detection & Monitoring
Log Indicators:
- Unusual BPI configuration modifications
- Multiple failed login attempts followed by BPI access
- Suspicious user agent strings in web logs
Network Indicators:
- Unusual outbound connections from Nagios server following BPI page access
SIEM Query:
source="nagios_web.log" AND (uri="/nagiosxi/admin/bpi.php" OR uri CONTAINS "bpi") AND (method="POST" OR method="PUT")