CVE-2024-13996
📋 TL;DR
Nagios XI versions before 2024R1.1.3 fail to invalidate existing user sessions when passwords are changed, allowing attackers who have compromised a session to maintain access even after the legitimate user changes their password. This affects all Nagios XI administrators and users with active sessions. The vulnerability enables continued unauthorized access to monitoring data and system controls.
💻 Affected Systems
- Nagios XI
📦 What is this software?
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
⚠️ Risk & Real-World Impact
Worst Case
An attacker with a stolen session token gains persistent administrative access to the Nagios XI monitoring system, allowing them to modify configurations, disable alerts, execute arbitrary commands on monitored systems, and maintain access indefinitely despite password changes.
Likely Case
Attackers who have obtained session tokens through phishing, malware, or other credential theft maintain access to user accounts, potentially accessing sensitive monitoring data and performing unauthorized actions within the Nagios XI interface.
If Mitigated
With proper session management controls and monitoring, the impact is limited to temporary unauthorized access until sessions naturally expire or are manually terminated.
🎯 Exploit Status
Exploitation requires an attacker to have obtained a valid session token through other means (phishing, malware, session hijacking). Once obtained, the attack is trivial - simply continue using the stolen session.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024R1.1.3
Vendor Advisory: https://www.nagios.com/changelog/nagios-xi/
Restart Required: Yes
Instructions:
1. Backup current Nagios XI configuration and data. 2. Download Nagios XI 2024R1.1.3 from the Nagios customer portal. 3. Run the upgrade script following Nagios XI upgrade documentation. 4. Restart Nagios XI services. 5. Verify all sessions were properly terminated after password changes.
🔧 Temporary Workarounds
Manual Session Termination
linuxManually terminate all active sessions after password changes by restarting web server or clearing session storage
sudo systemctl restart httpd
sudo systemctl restart nagios
Session Timeout Reduction
linuxReduce session timeout values to limit exposure window for stolen sessions
Edit /usr/local/nagiosxi/html/config.inc.php and set session.gc_maxlifetime to lower value
🧯 If You Can't Patch
- Implement mandatory password rotation with forced logout of all sessions
- Deploy network segmentation to restrict Nagios XI access to trusted administrative networks only
🔍 How to Verify
Check if Vulnerable:
Check Nagios XI version: Login to Nagios XI web interface and navigate to Help > About. If version is earlier than 2024R1.1.3, the system is vulnerable.Check Version:
grep 'product_version' /usr/local/nagiosxi/html/config.inc.phpVerify Fix Applied:
After upgrading to 2024R1.1.3: 1. Create test user account. 2. Login and obtain session token. 3. Change password. 4. Attempt to use old session token - should be rejected. 5. Verify new session works with new password.📡 Detection & Monitoring
Log Indicators:
- Multiple successful logins from same user from different IP addresses simultaneously
- User activity continuing after password change events
- Session IDs remaining active beyond password reset timestamps
Network Indicators:
- Unusual authentication patterns to Nagios XI web interface
- Session cookies being reused across password change boundaries
SIEM Query:
source="nagios_access.log" (event="PASSWORD_CHANGE" OR event="password_reset") | stats count by user, session_id | where count > 1