Nagios Support Forum

Hi,

Referring to this.
https://thehackernews.com/2021/09/new-n ... d-let.html

We have 7 Nagios Ent servers running on RHEL 6 & 7
3 is running 5.7.5 on RHEL 6.x
1 is running 5.6.14 on CentOS 6.x
3 is 5.8.5 on RHEL 7.4

We already have plans to upgrade the OS and Nagios version in the 4 pre 5.8.5 Nagios servers by end of next month.
However we have to apply temp workaround to address all the vulnerabilities listed now.

Please advise how to go about this. We don't use any of the widgets or Dockers mentioned
Thanks.

Hello @rajasegar

Thanks for reaching out, sounds like you currently have a workaround and will by applying an upgrade to your environment shortly. To be fully protected against security threats please make sure that your environment is on the latest version with patches. Please see the following:

https://www.nagios.com/products/security/
https://www.nagios.com/security-faq/

If you are sure you are not using Config Wizards you can move then so they are not accessible for added protection:
Please let us know if you have further questions,
Perry

pbroste wrote:Hello @rajasegar

Thanks for reaching out, sounds like you currently have a workaround and will by applying an upgrade to your environment shortly. To be fully protected against security threats please make sure that your environment is on the latest version with patches. Please see the following:

https://www.nagios.com/products/security/
https://www.nagios.com/security-faq/

If you are sure you are not using Config Wizards you can move then so they are not accessible for added protection:

Code: Select all

mkdir /root/xi_configwizard_backup
mv /usr/local/nagiosxi/html/includes/configwizards/autodiscovery /root/xi_configwizard_backup/
mv /usr/local/nagiosxi/html/includes/configwizards/watchguard /root/xi_configwizard_backup/
mv /usr/local/nagiosxi/html/includes/configwizards/switch /root/xi_configwizard_backup/

Please let us know if you have further questions,
Perry

Thanks 2 questions.

<quote>CVE-2021-37350 Nagios xi before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitization. </quote>
Is there a way to manually disable Bulk Modifications tools? Rename the php or whatever.

<quote>CVE-2021-37347 Nagios xi before version 5.8.5 is vulnerable to local privilege escalation because getprofile.sh does not validate the directory name it receives as an argument. </quote>
Can I copy the getprofile.sh from 5.8.5 and replace the file in earlier version?

Thanks

Hello @rajasegar

Thanks for following up on these security vulnerabilities. The bulkmodifications are located here and can be temporarily moved:
And secondly, you are correct that you can go ahead and grab an earlier version of the 'getprofie.sh' and replace it. The script will fail on any strings and arguments that it does not match but should not cause any issues since the only time it is used, is to send the System Profile to support.

Please consider upgrading to the latest Nagios xi version since there are other vulnerabilities fixed as well.

Thanks,
Perry

Thanks for the input. Please close this thread.