CVE-2019-15949
Published: 05 September 2019
Summary
CVE-2019-15949 is a high-severity OS Command Injection (CWE-78) vulnerability in Nagios Nagios Xi. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-5 (Access Restrictions for Change).
Deeper analysis
Nagios XI versions prior to 5.6.6 contain an OS command injection vulnerability (CWE-78) that permits remote command execution as root. The flaw centers on the getprofile.sh script, which is invoked when an authenticated user requests a system profile download via profile.php?cmd=download. This script is executed with root privileges through a passwordless sudo entry and in turn runs the check_plugin binary, which is writable by the nagios user.
An attacker who can log in as the nagios user on the underlying server, or who obtains administrative access through the Nagios XI web interface and holds plugin-modification rights, can replace check_plugin with a malicious executable. When the profile download action is triggered, the injected commands execute with root privileges, yielding full system control. The vulnerability carries a CVSS 3.1 score of 8.8.
Public exploit code for this issue has been released on Packet Storm and GitHub, confirming that working proof-of-concept attacks exist against unpatched installations. No official vendor advisory text is referenced in the supplied sources; the only indicated remediation is upgrading to Nagios XI 5.6.6 or later.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-6850
Vulnerability details
Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile…
more
(profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the nagios user on the server, can modify the check_plugin executable and insert malicious commands to execute as root.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforcing least privilege would eliminate the passwordless sudo entry that lets getprofile.sh run the nagios-writable check_plugin as root.
Access restrictions on change would block the nagios user (or web admin) from replacing the check_plugin executable with malicious code.
Integrity verification of check_plugin would detect unauthorized modification before the profile-download action triggers root-level execution.