Nagios XI Vulnerability: CVE-2023–40931 — SQL Injection in Banner
Nagios XI, a widely-used network monitoring software, has recently been identified with multiple security vulnerabilities, one of which is classified as CVE-2023–40931. This critical vulnerability, affecting Nagios XI versions 5.11.0 to 5.11.1, exposes the system to SQL injection attacks through the Banner acknowledging endpoint.
Overview of Nagios XI
Nagios XI is an enterprise-grade monitoring and alerting solution designed to provide comprehensive insights into the health and performance of IT infrastructure. Organizations deploy Nagios XI to monitor various elements, including servers, network devices, and applications, allowing them to proactively address potential issues before they impact operations.
Vulnerability Details: CVE-2023-40931
The CVE-2023-40931 vulnerability specifically targets the Banner acknowledging endpoint in Nagios XI. When users acknowledge a banner, a POST request is sent to /nagiosxi/admin/banner_message-ajaxhelper.php with the following parameters: action=acknowledge_banner_message and id=3. The issue arises from the assumption that the 'id' parameter is trusted, even though it is received directly from the client without proper sanitization.
Exploitation Scenario
To exploit this vulnerability, an authenticated user with low or no privileges can craft a malicious payload in the form of a POST request. For instance:
POST /nagiosxi/admin/banner_message-ajaxhelper.php
Data: action=acknowledge_banner_message&id=3This seemingly innocent request can be manipulated to inject arbitrary SQL commands into the backend database. The lack of proper input validation allows an attacker to retrieve sensitive data from the xi_session and xi_users tables, containing information such as emails, usernames, hashed passwords, API tokens, and backend tickets.
Notably, this vulnerability does not require the existence of a valid announcement banner ID, making it exploitable at any time by an attacker with the necessary authentication credentials.
Impact and Mitigation
The exploitation of CVE-2023-40931 can lead to unauthorized access and retrieval of sensitive data, posing a threat to the confidentiality and integrity of the Nagios XI system. To address this issue, Nagios Enterprises promptly released a patch with version 5.11.2 on September 11, 2023. Organizations using Nagios XI are strongly advised to update their installations to the latest version to mitigate the risks associated with this vulnerability.
Exploitation in the Wild
The real-world impact of this vulnerability is evident from an exploitation attempt on a Hack The Box machine monitored by Nagios XI. The attacker employed a crafted payload using SQLMap, a popular tool for automating SQL injection detection and exploitation. The payload targeted the vulnerable endpoint, dumping API keys, password hashes, and usernames from the compromised system.
sqlmap -u "<https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php>" --data="id=3&action=acknowledge_banner_message" --cookie "nagiosxi=cookie_of_an_authenticated_user" --dbms=MySQL --level=1 --risk=1 -D nagiosxi -T xi_users --dumpIt is crucial to highlight that successful exploitation requires authentication, as reflected in the inclusion of a valid cookie in the payload.
Conclusion
Nagios XI's CVE-2023-40931 underscores the importance of promptly addressing security vulnerabilities in critical systems. The responsible disclosure and subsequent patch release demonstrate the collaborative efforts between security researchers and software vendors to secure IT environments. Organizations must remain vigilant, keeping their software up-to-date and adopting best practices to defend against potential threats.
Source of Exploit
The detailed exploit for CVE-2023-40931 in Nagios XI was derived from the write-up titled "Monitored - Hack The Box" by Nikoloz Chitashvili. The original exploit walkthrough and crafted payload using SQLMap can be found in the following article: Monitored - Hack The Box.
For additional context, the corresponding Hack The Box machine "Monitored" can be accessed here: Hack The Box - Monitored.