CVE-2022-50586
📋 TL;DR
Nagios XI versions before 5.8.9 contain a stored cross-site scripting vulnerability in the BPI component's info URL field. Attackers can inject malicious scripts that execute in victims' browsers when viewing the affected component. Organizations running Nagios XI versions below 5.8.9 are affected.
💻 Affected Systems
- Nagios XI
📦 What is this software?
Nagios Xi by Nagios
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially leading to full system compromise if combined with other vulnerabilities.
Likely Case
Attackers with access to the BPI component could inject persistent scripts that steal session cookies or credentials from users viewing the affected pages.
If Mitigated
With proper input validation and output encoding, the risk is limited to authenticated users who can access the BPI component.
🎯 Exploit Status
Exploitation requires authenticated access to the BPI component and knowledge of XSS payloads. The vulnerability is stored/persistent.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.8.9
Vendor Advisory: https://www.nagios.com/changelog/nagios-xi/
Restart Required: No
Instructions:
1. Backup your Nagios XI configuration and data. 2. Download Nagios XI 5.8.9 or later from the official Nagios website. 3. Follow the upgrade instructions in the Nagios XI documentation. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation for the BPI info URL field to reject malicious scripts.
Output Encoding
allApply proper output encoding when displaying user-supplied data in the BPI component.
🧯 If You Can't Patch
- Restrict access to the BPI component to only trusted administrators.
- Implement a web application firewall (WAF) with XSS protection rules.
🔍 How to Verify
Check if Vulnerable:
Check Nagios XI version via the web interface (Help > About) or command line: grep 'nagiosxi_version' /usr/local/nagiosxi/var/xiversionCheck Version:
grep 'nagiosxi_version' /usr/local/nagiosxi/var/xiversionVerify Fix Applied:
Verify version is 5.8.9 or higher using the same methods. Test the BPI component's info URL field with safe test payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual or suspicious entries in the BPI component logs
- Multiple failed attempts to submit malformed URLs
Network Indicators:
- Unexpected JavaScript payloads in HTTP requests to Nagios XI BPI endpoints
SIEM Query:
source="nagios_xi" AND (url="*<script>*" OR url="*javascript:*" OR url="*onerror=*" OR url="*onload=*")