I. OVERVIEW

• Discoverer: Aishee — UraSec Team

• Vendor & Product: Nagios Core

• Version: Nagios Core 4.4.5

II. ABOUT NAGIOS CORE

Nagios is a free and open-source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved.

III. VULNERABILITY DETAILS

Location: Alert Histogram and Trends function.

I could insert malicious files in Alert Histogram and Trends function, only need setup other server and compile nagios file objectjson.cgi, archivejson.cgi, statusjson.cgi and copy to server.

Video POC

IV. IMPACT

- Insert content that is harmful to users

- Ability to escalate exploits creating backdoors for applications

- ..etc

V. REMEDIATION

Nagios Core 4.x Version History - Nagios
4.4.6 - 2020-04-28 FIXES Fixed Map display in Internet Explorer 11 (#714) (Scott Wilkerson) Fixed duplicate properties…www.nagios.org

sawolf/nagioscore
Nagios is a host/service/network monitoring program written in C and released under the GNU General Public License…github.com

VI. REPORT TIMELINE

• 04/12/2020: Discovered the vulnerability

• 04/12/2020: Responsible disclosure to Nagios Enterprise security@nagios.com

• 04/18/2020: Nagios Enterprise confirmed the issue and released a branch fix

VII. THANKS TO

• swolf@nagios.com confirm issue and fix.