Nagios XI 5.5.10: XSS to root RCE
CVE-2019-9164, CVE-2019-9165, CVE-2019-9166, CVE-2019-9167, CVE-2019-9202, CVE-2019-9203, CVE-2019-9204
Sources
https://www.nagios.com/products/security/
Risks
Various critical vulnerabilities have been found in Nagios XI 5.5.10 and prior versions.
CERT.be recommends systems administrators to install the latest Upgrade to Nagios XI 5.5.11 or above. Update to Nagios XI 5.5.11 which includes all the fixes.
A Proof of Concept is available.
Recommended Actions
Upgrade to Nagios XI 5.5.11 or above.
Upgrade Nagios IM component to version 2.2.7 or above.
More Information
Various vulnerabilities have been found in Nagios XI 5.5.10 that allow a remote attacker to obtain a remote root shell. All the attacker has to do is be able to trick an authenticated victim (with “autodiscovery job” creation privileges) to visit a malicious URL.
References
https://www.nagios.com/downloads/nagios-xi/change-log/
https://www.shielder.it/blog/nagios-xi-5-5-10-xss-to-root-rce/