CVE-2021-37348
📋 TL;DR
CVE-2021-37348 is a local file inclusion vulnerability in Nagios XI that allows attackers to read arbitrary files on the server through improper pathname limitation in index.php. This affects Nagios XI installations before version 5.8.5. Attackers can potentially access sensitive configuration files, logs, or other system files.
💻 Affected Systems
- Nagios XI
📦 What is this software?
Nagios Xi by Nagios
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive files like configuration files containing database credentials, SSH keys, or other secrets, leading to full system compromise through credential theft or privilege escalation.
Likely Case
Unauthorized reading of sensitive Nagios configuration files, potentially exposing monitoring credentials, system information, or other sensitive operational data.
If Mitigated
Limited impact with proper file permissions and network segmentation, potentially only exposing non-sensitive files or being blocked by web server configurations.
🎯 Exploit Status
Exploitation requires some level of access to the web interface. The vulnerability is well-documented and relatively easy to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.8.5
Vendor Advisory: https://www.nagios.com/downloads/nagios-xi/change-log/
Restart Required: Yes
Instructions:
1. Backup current Nagios XI installation. 2. Download Nagios XI 5.8.5 or later from the official Nagios website. 3. Follow the upgrade instructions in the Nagios XI documentation. 4. Restart Nagios services after upgrade completion.
🔧 Temporary Workarounds
Restrict file access permissions
linuxSet strict file permissions on sensitive directories and configuration files to limit what can be read even if the vulnerability is exploited.
chmod 600 /usr/local/nagios/etc/*.cfg
chmod 700 /usr/local/nagios/var
Web server restrictions
linuxConfigure web server (Apache/Nginx) to restrict access to sensitive file paths and directories.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Nagios XI from sensitive systems
- Deploy web application firewall (WAF) rules to block local file inclusion patterns
🔍 How to Verify
Check if Vulnerable:
Check Nagios XI version via web interface admin panel or by examining version files in installation directory.Check Version:
grep 'product_version' /usr/local/nagiosxi/var/xiversionVerify Fix Applied:
Verify version is 5.8.5 or later in admin panel and test that file inclusion attempts are properly blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in Nagios or web server logs
- Multiple requests for configuration files or sensitive paths
Network Indicators:
- HTTP requests with file inclusion patterns in parameters
- Unusual traffic to Nagios web interface from unexpected sources
SIEM Query:
source="nagios_access.log" AND (uri="*index.php*" AND (param="*../*" OR param="*file=*"))