CVE-2021-37353
📋 TL;DR
Nagios XI Docker Wizard versions before 1.1.3 contain a Server-Side Request Forgery (SSRF) vulnerability in table_population.php due to improper input sanitization. This allows attackers to make unauthorized requests from the vulnerable server to internal or external systems. Organizations using Nagios XI with the Docker Wizard component are affected.
💻 Affected Systems
- Nagios XI Docker Wizard
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could pivot from the vulnerable Nagios server to access internal systems, steal credentials, perform port scanning, or access cloud metadata services to obtain sensitive information.
Likely Case
Attackers scan internal networks, access internal web applications, or retrieve sensitive information from cloud metadata endpoints.
If Mitigated
With proper network segmentation and egress filtering, impact is limited to the Nagios server itself or adjacent systems in the same network segment.
🎯 Exploit Status
Exploitation requires authentication to Nagios XI. SSRF vulnerabilities are commonly exploited in real-world attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.3
Vendor Advisory: https://www.nagios.com/downloads/nagios-xi/change-log/
Restart Required: Yes
Instructions:
1. Log into Nagios XI admin interface. 2. Navigate to Admin > Updates. 3. Check for available updates. 4. Update Docker Wizard to version 1.1.3 or later. 5. Restart Nagios XI services.
🔧 Temporary Workarounds
Disable Docker Wizard
linuxRemove or disable the vulnerable Docker Wizard component if not required.
sudo rm -rf /usr/local/nagiosxi/html/includes/dockerwizard/
Network Segmentation
linuxRestrict Nagios XI server network access to prevent SSRF exploitation.
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network egress filtering to prevent the Nagios server from making unauthorized outbound requests.
- Place Nagios XI behind a web application firewall (WAF) with SSRF protection rules enabled.
🔍 How to Verify
Check if Vulnerable:
Check Docker Wizard version: cat /usr/local/nagiosxi/html/includes/dockerwizard/version.txtCheck Version:
cat /usr/local/nagiosxi/html/includes/dockerwizard/version.txtVerify Fix Applied:
Verify version is 1.1.3 or higher: cat /usr/local/nagiosxi/html/includes/dockerwizard/version.txt📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from Nagios server
- Requests to internal IP addresses or cloud metadata endpoints from Nagios
Network Indicators:
- HTTP traffic from Nagios server to unexpected destinations
- Port scanning activity originating from Nagios server
SIEM Query:
source="nagios" AND (url="*table_population.php*" OR dest_ip="169.254.169.254" OR dest_port=80,443)