Executive Summary

CVE-2024-13986 is an authenticated remote code execution vulnerability in Nagios XI versions before 2024R1.3.2. It involves two chained flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. Attackers with valid credentials can upload malicious PHP files to a non-web-accessible directory due to insufficient file extension validation. Then, by exploiting a path traversal vulnerability in the snapshot rename functionality, they can move these PHP files into a web-accessible directory. This allows the attacker to execute arbitrary PHP code on the server as the www-data user. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated attacker to execute arbitrary code on the Nagios XI server with the privileges of the web server user (www-data). This can lead to full compromise of the affected system, unauthorized access to sensitive data, modification or deletion of files, and potentially using the server as a foothold to attack other systems within the network. [1]

Useful 0 Not Useful 0

Detection Guidance

Detection involves verifying if the Nagios XI instance is vulnerable by checking for the presence of the vulnerable endpoints and attempting to identify unauthorized or suspicious file uploads and renames. Specifically, monitoring access to the /admin/mibs.php endpoint for file uploads and /admin/coreconfigsnapshots.php for snapshot rename requests with unusual path traversal sequences (e.g., ../../../../) can indicate exploitation attempts. Commands to detect suspicious files or activity could include: 1) Searching for unexpected PHP files in the web-accessible directory: `find /usr/local/nagiosxi/html/tools/ -name '*.php'` 2) Checking web server logs for requests to the vulnerable endpoints with suspicious parameters: `grep '/admin/mibs.php' /var/log/apache2/access.log` and `grep '/admin/coreconfigsnapshots.php' /var/log/apache2/access.log` 3) Monitoring for unusual rename operations involving directory traversal sequences in parameters. These steps require authenticated access to logs and file system. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include: 1) Restricting access to the vulnerable endpoints (/admin/mibs.php and /admin/coreconfigsnapshots.php) to trusted users only. 2) Applying the vendor-provided patch or upgrading Nagios XI to version 2024R1.3.2 or later where the vulnerability is fixed. 3) Implementing strict validation and sanitization of file uploads to disallow PHP or other executable files. 4) Monitoring and auditing file uploads and rename operations for suspicious activity. 5) If patching is not immediately possible, consider disabling the MIB upload and snapshot rename features temporarily to prevent exploitation. [1]

Useful 0 Not Useful 0