CVE-2024-54958
📋 TL;DR
Nagios XI 2024R1.2.2 contains a stored XSS vulnerability in the Tools page that allows authenticated attackers to inject malicious scripts. When other users access the Tools page, these scripts execute in their browser context, potentially compromising their sessions or performing actions on their behalf. This affects all Nagios XI administrators and users with access to the Tools interface.
💻 Affected Systems
- Nagios XI
📦 What is this software?
Nagios Xi by Nagios
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal administrator session cookies, perform unauthorized administrative actions, redirect users to malicious sites, or deploy malware through the compromised Nagios interface.
Likely Case
Session hijacking of Nagios administrators, credential theft, or unauthorized monitoring configuration changes that could hide malicious activity.
If Mitigated
Limited to authenticated users only, with potential for privilege escalation if lower-privileged users can exploit against administrators.
🎯 Exploit Status
The GitHub reference contains proof-of-concept details. Exploitation requires authenticated access but is technically simple once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Nagios XI updates beyond 2024R1.2.2
Vendor Advisory: https://www.nagios.com/products/security/
Restart Required: Yes
Instructions:
1. Log into Nagios XI as administrator. 2. Navigate to Admin > Check for Updates. 3. Apply the latest security update. 4. Restart Nagios XI services. 5. Clear browser caches of all users.
🔧 Temporary Workarounds
Input Sanitization Enhancement
allImplement additional input validation and output encoding for Tools page parameters
Requires code modification - consult Nagios documentation for custom validation rules
Content Security Policy
linuxImplement strict CSP headers to limit script execution
Add to web server config: Content-Security-Policy: script-src 'self'
🧯 If You Can't Patch
- Restrict access to Nagios XI Tools page to only essential administrators using network ACLs or application firewalls
- Implement web application firewall rules to detect and block XSS payloads in Tools page parameters
🔍 How to Verify
Check if Vulnerable:
Check Nagios XI version via Admin > System Overview or run: cat /usr/local/nagiosxi/var/xiversionCheck Version:
cat /usr/local/nagiosxi/var/xiversionVerify Fix Applied:
After patching, attempt to inject basic XSS payloads like <script>alert('test')</script> into Tools page fields and verify they are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Tools page with script tags or JavaScript code in parameters
- Multiple failed login attempts followed by Tools page access
Network Indicators:
- HTTP requests containing <script> tags or JavaScript functions in Tools page parameters
- Unexpected outbound connections from Nagios server after Tools page access
SIEM Query:
source="nagios_access.log" AND (uri_path="/nagiosxi/admin/tools.php" OR uri_path="/nagiosxi/includes/components/tools/") AND (http_method="POST" OR parameters CONTAINS "<script>" OR parameters CONTAINS "javascript:")