Nagios Incident Manager < 2.2.7 incident_id SQL Injection

Summary

A SQL Injection vulnerability in Nagios Incident Manager (component of Nagios XI) before 2.2.7 allows authenticated attackers to inject additional SQL statements via the incident_id parameter.

Product description (from vendor)

“Resolve network incidents, collaborate with team members, and track incident history”. For more information visit https://www.nagios.com/products/nagios-incident-manager/.

CVE(s)

Details

Root cause analysis

The Nagios XI API /nagiosxi/includes/components/nagiosim/nagiosim.php allows interaction with Nagios IM through the file nagiosxi/basedir/html/includes/components/nagiosim/nagiosim.php:

1
2
3
4
<?php
    $incident_id = grab_request_var('incident_id', false);
    [...]
    $sql = "SELECT * FROM xi_incidents WHERE incident_id='{$incident_id}'";

Since incident_id is never sanitized nor validated, an attacker can exploit the SQL injection to get hold of the information in the database in use by Nagios XI.

Proof of concept

  1. Log-in Nagios XI
  2. Navigate to /nagiosxi/includes/components/nagiosim/nagiosim.php?mode=update&token=[your api token]&incident_id=1'union%20select%201,2,3,4,5,6,7,8,'x using the logged-in session
  3. Note the request succeeds.

Impact

An authenticated attacker can get hold of the information in the database in use by Nagios XI.

Remediation

Upgrade to Nagios IM 2.2.7 or later. (Note: we didn’t verify the patch.)

Disclosure timeline

This report was subject to Shielder’s disclosure policy:

  • 25/02/2019:
    • Vulnerability report is sent to vendor
    • Vendor acknowledges issue and releases Nagios IM 2.2.7
  • 10/04/2019: Shielder’s advisory is made public

Credits

`polict` of Shielder

Data

10 April 2019