CVE-2021-36365 – CVE-2021-36365 is a critical privilege escalati... (How to Fix)

Q: What is the severity of CVE-2021-36365?

CVE-2021-36365 has a CVSS score of 9.8 (CRITICAL). CVE-2021-36365 is a critical privilege escalation vulnerability in Nagios XI where the repairmysql.sh script has incorrect file permissions. This allows any local user to execute arbitrary commands with root privileges. All Nagios XI installations before version 5.8.5 are affected.

📋 TL;DR

CVE-2021-36365 is a critical privilege escalation vulnerability in Nagios XI where the repairmysql.sh script has incorrect file permissions. This allows any local user to execute arbitrary commands with root privileges. All Nagios XI installations before version 5.8.5 are affected.

💻 Affected Systems

Products:

Nagios XI

Versions: All versions before 5.8.5

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected Nagios XI versions are vulnerable. The vulnerability exists in the file permissions of repairmysql.sh script.

📦 What is this software?

Nagios Xi by Nagios

View all CVEs affecting Nagios Xi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise - attacker gains root access, can install persistent backdoors, exfiltrate all monitoring data, and pivot to other systems.

🟠

Likely Case

Local privilege escalation leading to full control of the Nagios XI server, potentially allowing modification of monitoring configurations and access to credentials.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent unauthorized local access to the Nagios XI server.

🌐 Internet-Facing: MEDIUM - While this is a local privilege escalation, internet-facing Nagios XI servers could be targeted after initial access through other vulnerabilities.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts can easily exploit this to gain root privileges on the monitoring server.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to the Nagios XI server. The vulnerability is simple to exploit once an attacker has any level of local access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.8.5

Vendor Advisory: https://www.nagios.com/downloads/nagios-xi/change-log/

Restart Required: No

Instructions:

1. Backup your Nagios XI configuration and data. 2. Download Nagios XI 5.8.5 or later from the official Nagios website. 3. Follow the upgrade instructions in the Nagios XI documentation. 4. Verify the fix by checking file permissions on repairmysql.sh.

🔧 Temporary Workarounds

Fix file permissions manually

linux

Manually change the permissions of repairmysql.sh to remove world-writable access

chmod 750 /usr/local/nagiosxi/scripts/repairmysql.sh
chown root:root /usr/local/nagiosxi/scripts/repairmysql.sh

🧯 If You Can't Patch

Implement strict access controls to limit who can log into the Nagios XI server locally
Monitor for unauthorized access attempts and file permission changes on repairmysql.sh

🔍 How to Verify

Check if Vulnerable:

Check if repairmysql.sh is world-writable: ls -la /usr/local/nagiosxi/scripts/repairmysql.sh | grep '^-rwxrwxrwx'

Check Version:

cat /usr/local/nagiosxi/var/xiversion

Verify Fix Applied:

Verify repairmysql.sh permissions are correct: ls -la /usr/local/nagiosxi/scripts/repairmysql.sh should show permissions like -rwxr-x---

📡 Detection & Monitoring

Log Indicators:

Unexpected execution of repairmysql.sh by non-root users
File permission changes on repairmysql.sh
Suspicious commands executed with root privileges

Network Indicators:

Unusual outbound connections from Nagios XI server following local privilege escalation

SIEM Query:

source="nagios" AND (event="file_permission_change" AND file="repairmysql.sh") OR (process="repairmysql.sh" AND user!="root")

📊 Metadata

CVE ID: CVE-2021-36365

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-276

Published: September 28, 2021

Last Updated: November 21, 2024

🔗 References

https://assets.nagios.com/downloads/nagiosxi/CHANGES-5.TXT Release Notes,Vendor Advisory
https://www.nagios.com/downloads/nagios-xi/change-log/ Release Notes,Vendor Advisory
https://assets.nagios.com/downloads/nagiosxi/CHANGES-5.TXT Release Notes,Vendor Advisory
https://www.nagios.com/downloads/nagios-xi/change-log/ Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36365, you might also want to check these: