CVE-2021-47695
📋 TL;DR
Nagios XI versions before 5.8.0 contain a stored cross-site scripting (XSS) vulnerability in the My Tools page. Attackers can inject malicious scripts that execute in victims' browsers when they view the compromised page. This affects all Nagios XI administrators and users who access the My Tools functionality.
💻 Affected Systems
- Nagios XI
📦 What is this software?
Nagios Xi by Nagios
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could steal administrator session cookies, perform actions as the victim (like creating backdoor accounts), or redirect users to malicious sites.
Likely Case
Attackers with user-level access could perform session hijacking against administrators or other users, potentially gaining elevated privileges.
If Mitigated
With proper input validation and output encoding, the script payloads would be rendered harmless as text rather than executed.
🎯 Exploit Status
Exploitation requires authenticated access to Nagios XI. The attacker needs to create or modify tools on the My Tools page with malicious payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.8.0 and later
Vendor Advisory: https://www.nagios.com/changelog/nagios-xi/
Restart Required: No
Instructions:
1. Backup your current Nagios XI configuration. 2. Download Nagios XI 5.8.0 or later from the Nagios website. 3. Follow the official upgrade instructions at https://assets.nagios.com/downloads/nagiosxi/docs/Upgrading-Nagios-XI.pdf. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Disable My Tools Page Access
allTemporarily restrict access to the vulnerable My Tools page until patching can be completed.
# Modify Nagios XI permissions to restrict My Tools access
# This requires editing user permissions in the Nagios XI interface
Implement Web Application Firewall (WAF)
allDeploy a WAF with XSS protection rules to block malicious payloads.
# Configure WAF rules to detect and block XSS patterns in POST/GET parameters
# Example for ModSecurity: SecRule ARGS "<script" "id:1001,phase:2,deny"
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources
- Regularly audit user accounts and monitor for suspicious My Tools page modifications
🔍 How to Verify
Check if Vulnerable:
Check Nagios XI version via Admin > System Config > About. If version is below 5.8.0, the system is vulnerable.Check Version:
grep 'nagiosxi_version' /usr/local/nagiosxi/var/xiversion.cfgVerify Fix Applied:
After upgrading to 5.8.0 or later, verify the version in Admin > System Config > About and test that script tags entered in My Tools fields are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to My Tools page entries
- Multiple failed login attempts followed by successful login and My Tools activity
- Administrator sessions originating from unexpected IP addresses
Network Indicators:
- HTTP requests containing script tags or JavaScript in My Tools page parameters
- Outbound connections to suspicious domains from Nagios XI server
SIEM Query:
source="nagiosxi" AND ("My Tools" OR "mytools") AND ("<script" OR "javascript:" OR "onerror=" OR "onload=")