CVE-2021-47691
📋 TL;DR
This CVE describes multiple cross-site scripting (XSS) vulnerabilities in Nagios XI's Core Config Manager (CCM) affecting the Services page. Attackers can inject malicious scripts into config_name and service_description fields, which execute in victims' browsers when viewing those pages. Organizations running Nagios XI versions before CCM 3.1.1/Nagios XI 5.8.2 are affected.
💻 Affected Systems
- Nagios XI
- Nagios Core Config Manager (CCM)
📦 What is this software?
Nagios Xi by Nagios
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could steal administrator session cookies, perform actions as the victim, or redirect users to malicious sites, potentially leading to full system compromise if combined with other vulnerabilities.
Likely Case
Attackers with access to the Nagios XI interface could perform session hijacking, steal credentials, or deface monitoring pages, compromising the monitoring system's integrity.
If Mitigated
With proper input validation and output encoding, the risk is limited to minor UI manipulation with no data loss or system compromise.
🎯 Exploit Status
Exploitation requires the attacker to either have authenticated access or trick an authenticated user into interacting with malicious content. The vulnerability is in the web interface's input handling.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Nagios XI 5.8.2 or CCM 3.1.1
Vendor Advisory: https://www.nagios.com/changelog/nagios-xi/
Restart Required: No
Instructions:
1. Log into Nagios XI as administrator. 2. Navigate to Admin > Check for Updates. 3. Follow the upgrade wizard to update to Nagios XI 5.8.2 or later. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Input Validation Filter
allImplement custom input validation for config_name and service_description fields to strip or encode HTML/JavaScript content.
Modify Nagios XI source code to add input sanitization in affected PHP files (requires development expertise)
Content Security Policy
allImplement a strict Content Security Policy (CSP) header to prevent execution of inline scripts and restrict script sources.
Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server configuration
🧯 If You Can't Patch
- Restrict access to Nagios XI web interface using network segmentation and firewall rules to only trusted users.
- Implement web application firewall (WAF) rules to detect and block XSS payloads in the affected fields.
🔍 How to Verify
Check if Vulnerable:
Check Nagios XI version via Admin > About page or run: grep 'product_version' /usr/local/nagiosxi/var/xiversionCheck Version:
grep 'product_version' /usr/local/nagiosxi/var/xiversionVerify Fix Applied:
Verify version is 5.8.2 or higher and test Services page input fields with basic XSS payloads like <script>alert('test')</script> to ensure they're properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Services page with script tags or JavaScript in config_name/service_description parameters
- Multiple failed login attempts followed by successful access to Services page
Network Indicators:
- HTTP requests containing <script> tags or JavaScript code in URL parameters or POST data to Nagios XI Services endpoints
SIEM Query:
source="nagios_access.log" AND (uri_path="/nagiosxi/services.php" OR uri_path="/nagiosxi/includes/components/ccm/") AND (http_method="POST" OR parameters CONTAINS "<script>" OR parameters CONTAINS "javascript:")