Nagios Command Injection Flaw in RSS Feed Reader Component Lets Remote Users Execute Arbitrary Code on the Target System
SecurityTracker Alert ID: 1037488|
SecurityTracker URL: http://securitytracker.com/id/1037488
(Links to External Site)
Date: Dec 17 2016
Execution of arbitrary code via network, Modification of system information, User access via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): prior to 4.2.2|
A vulnerability was reported in Nagios. A remote user can execute arbitrary code on the target system.|
A remote user that can impersonate an RSS feed server can return specially crafted data to exploit an input validation flaw in the RSS feed reader component and inject parameters to a curl command executed by the feed reader component. As a result, the remote user can write files to the target system and cause the files to be executed by the target Nagios service.
The original advisory and a demonstration exploit is available at:
Dawid Golunski (@dawid_golunski) reported this vulnerability.
A remote user can write files to and execute arbitrary code on the target system.|
The vendor has issued a fix (4.2.2) [in October 2016].|
The vendor advisory is available at:
Vendor URL: www.nagios.org/projects/nagios-core/history/4x/ (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Thu, 15 Dec 2016 07:15:26 -0200|
Subject: Nagios Core < 4.2.2 Curl Command Injection leading to Remote Code Execution [CVE-2016-9565]
Nagios Core < 4.2.2 Curl Command Injection leading to Remote Code Execution
Discovered by: Dawid Golunski (@dawid_golunski)
Nagios Core comes with a PHP/CGI front-end which allows to view status
of the monitored hosts.
This front-end contained a Command Injection vulnerability in a RSS feed reader
class that loads (via insecure clear-text HTTP or HTTPS accepting self-signed
certificates) the latest Nagios news from a remote RSS feed (located on the
vendor's server on the Internet) upon log-in to the Nagios front-end.
The vulnerability could potentially enable remote unauthenticated attackers who
managed to impersonate the feed server (via DNS poisoning, domain hijacking,
ARP spoofing etc.), to provide a malicious response that injects parameters to
curl command used by the affected RSS client class and effectively
read/write arbitrary files on the vulnerable Nagios server.
This could lead to Remote Code Execution in the context of www-data/nagios user
on default Nagios installs that follow the official setup guidelines.
The full advisory and a PoC exploit can be found at:
Attackers who have successfully exploited this vulnerability and achieved code
execution with 'nagios' group privileges, could escalate their
privileges to root
system account via another Nagios vulnerability (CVE-2016-9566) described at:
For updates, follow: