CVE-2024-13994
📋 TL;DR
Nagios XI versions before 2024R1.1.2 have a missing authorization vulnerability when 'Allow Insecure Logins' is enabled. This allows any user to create valid login credentials for other users without authorization, potentially leading to unauthorized account creation, privilege escalation, or full web interface compromise. All Nagios XI installations with the insecure login option enabled are affected.
💻 Affected Systems
- Nagios XI
📦 What is this software?
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of Nagios XI web interface, allowing attackers to create administrative accounts, modify monitoring configurations, execute arbitrary commands, and potentially pivot to other systems.
Likely Case
Unauthorized account creation leading to privilege escalation, data exfiltration, and manipulation of monitoring alerts to hide malicious activity.
If Mitigated
Limited impact if 'Allow Insecure Logins' is disabled, though other vulnerabilities could still exist.
🎯 Exploit Status
Exploitation requires the 'Allow Insecure Logins' setting to be enabled. Attackers need some level of access but can then escalate privileges easily.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024R1.1.2
Vendor Advisory: https://www.nagios.com/changelog/nagios-xi/
Restart Required: Yes
Instructions:
1. Backup current Nagios XI configuration and data. 2. Download Nagios XI 2024R1.1.2 or later from Nagios website. 3. Follow Nagios XI upgrade documentation. 4. Restart Nagios XI services after upgrade. 5. Verify the 'Allow Insecure Logins' option is disabled.
🔧 Temporary Workarounds
Disable Insecure Logins
allDisable the 'Allow Insecure Logins' option in Nagios XI configuration to mitigate the vulnerability.
Navigate to Admin > System Config > General Configuration > Security Settings
Set 'Allow Insecure Logins' to 'No'
Save configuration changes
🧯 If You Can't Patch
- Immediately disable 'Allow Insecure Logins' option in Nagios XI configuration
- Implement network segmentation to restrict access to Nagios XI web interface
🔍 How to Verify
Check if Vulnerable:
Check Nagios XI version and verify if 'Allow Insecure Logins' is enabled in Admin > System Config > General Configuration > Security Settings.Check Version:
Check version in Nagios XI web interface footer or via command line: grep 'nagios_version' /usr/local/nagiosxi/var/xiversionVerify Fix Applied:
Verify Nagios XI version is 2024R1.1.2 or later and confirm 'Allow Insecure Logins' is disabled.📡 Detection & Monitoring
Log Indicators:
- Unexpected user account creation events
- Failed login attempts followed by successful logins from new accounts
- Configuration changes to user permissions
Network Indicators:
- Unusual authentication requests to Nagios XI web interface
- Traffic patterns indicating account enumeration
SIEM Query:
source="nagios_xi" AND (event_type="user_creation" OR event_type="permission_change")