Login Sign Up

CVE-2021-3193

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2021-3193 is a critical remote code execution vulnerability in Nagios Docker Config Wizard that allows unauthenticated attackers to execute arbitrary commands as the apache user. This affects Nagios XI installations through version 5.7 that have the Docker Config Wizard component. Attackers can gain initial access to vulnerable systems without any authentication.

💻 Affected Systems

Products:
  • Nagios XI
  • Nagios Docker Config Wizard
Versions: Nagios XI through 5.7, Docker Config Wizard before 1.1.2
Operating Systems: Linux systems running Nagios XI
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerable if Docker Config Wizard component is installed, which is common in Nagios XI deployments.

📦 What is this software?

Nagios Xi by Nagios

View all CVEs affecting Nagios Xi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data theft, lateral movement, ransomware deployment, and persistent backdoor installation across the network.

🟠

Likely Case

Initial foothold leading to privilege escalation, credential harvesting, and deployment of cryptocurrency miners or botnet malware.

🟢

If Mitigated

Limited to apache user privileges, potentially allowing file system access and further exploitation attempts.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation makes internet-facing instances immediate targets.
🏢 Internal Only: HIGH - Internal attackers or compromised internal systems can exploit this without authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public exploits available, trivial to weaponize due to unauthenticated nature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Docker Config Wizard 1.1.2 or later, Nagios XI 5.8 or later

Vendor Advisory: https://www.nagios.com/products/security/

Restart Required: Yes

Instructions:

1. Update Nagios XI to version 5.8 or later. 2. Update Docker Config Wizard component to version 1.1.2 or later. 3. Restart Nagios services.

🔧 Temporary Workarounds

Disable Docker Config Wizard

linux

Remove or disable the vulnerable Docker Config Wizard component

rm -rf /usr/local/nagiosxi/html/includes/components/dockerwizard/
systemctl restart nagios

Network Access Control

linux

Restrict access to Nagios web interface using firewall rules

iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

  • Immediately isolate vulnerable systems from internet and restrict internal network access
  • Implement web application firewall (WAF) rules to block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Nagios XI version: cat /usr/local/nagiosxi/var/xiversion. Check Docker Config Wizard: ls -la /usr/local/nagiosxi/html/includes/components/dockerwizard/

Check Version:

cat /usr/local/nagiosxi/var/xiversion && grep 'version' /usr/local/nagiosxi/html/includes/components/dockerwizard/component.inc.php

Verify Fix Applied:

Verify Nagios XI version >= 5.8 and Docker Config Wizard version >= 1.1.2. Test web interface functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /nagiosxi/includes/components/dockerwizard/
  • Apache error logs showing command execution attempts
  • Sudden apache user process creation

Network Indicators:

  • Unusual outbound connections from Nagios server
  • Exploit tool traffic patterns to Nagios web interface

SIEM Query:

source="apache" AND (uri="/nagiosxi/includes/components/dockerwizard/*" OR uri="/includes/components/dockerwizard/*") AND (method="POST" OR status>=400)

📊 Metadata

CVE ID: CVE-2021-3193
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: January 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON