CVE-2021-25296
Published: 15 February 2021
Summary
CVE-2021-25296 is a high-severity an unspecified weakness vulnerability in Nagios Nagios Xi. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
Nagios XI version xi-5.7.5 is affected by an OS command injection vulnerability in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php. The flaw arises from improper sanitization of input supplied by authenticated users in a single HTTP request, allowing arbitrary operating system commands to be executed on the Nagios XI server.
Authenticated attackers with network access can exploit the issue without user interaction to achieve remote code execution, resulting in complete loss of confidentiality, integrity, and availability on the affected server.
Public proof-of-concept code for remote code execution against this version has been released on PacketStorm Security, and additional technical details are hosted in a GitHub repository documenting Nagios XI bugs. Nagios references its versions page and main site for obtaining updated releases.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-12196
Vulnerability details
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios…
more
XI server.
- CWE(s)
- KEV Date Added
- 18 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all user-supplied input before it is used in OS commands, blocking the injection vector in windowswmi.inc.php.
Limits privileges of the web-server/Nagios process so that even a successful command injection yields only minimal OS access rather than full server compromise.
Mandates prompt application of vendor patches that eliminate the unsanitized input path in the Windows WMI configuration wizard.