Network Security, Vulnerability Management

Nagios patches three vulnerabilities in Xi web app

The quotations of stock market are seen on screens at the Stock Exchange in Amman, Jordan, on Nov. 14, 2005. (Photo by Marco Di Lauro/Getty Images)

Nagios patched three vulnerabilities in Nagios Xi, a popular front end to the free network and systems monitoring Nagios Core

According to Nagios' website, Xi customers include Verizon and the Amman (Jordan) Stock Exchange.

The vulnerabilities, discovered by Synopsys Cybersecrutity Research Center (CyRC), are each post-authentication issues in the web application — a SQL injection (CVE-2021-33177), a path traversal vulnerability in the NagVi reporting system (33178) and a cross-site scripting error in core config manager (33179).

Scott Tolley, the security engineer at Synopsys who did the research, said the idea to investigate Nagios Xi came to him when it was mentioned on the Hacker Public Radio podcast. The positioning of the software on networks and a spate of recent attacks on IT management products like Kaseya and SolarWinds piqued his interest.

"There's quite a lot of activity in [IT management software] right now," said Tolley. "And it makes sense. By definition, the software is going to have a privileged role on the network so if you get into it or anywhere near it's a great way to pivot for any attacker to go on to the rest of the system."

Synopsys only tested the web application for vulnerabilities.

The path traversal vulnerability affects versions prior to 5.8.4, SQL the XSS issue affects versions before 5.8.5 and the path traversal bug affects versions prior to the current distribution with the NagVi app installed.

Mitigation, according to Synopsys, is to upgrade Xi and NagVi.

Tolley expects to see more attacks and efforts to harden network management software in the future.

"It's an interesting, juicy target for attackers and, of course, for security researchers as well," he said.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.