Nagios Incident Manager < 2.2.7 Void Token Authorization Bypass

Summary

An Authorization Bypass vulnerability in Nagios Incident Manager (component of Nagios XI) before 2.2.7 allows authenticated users to bypass the authentication checks via a void token.

Product Description (from vendor)

“Resolve network incidents, collaborate with team members, and track incident history”. For more information visit https://www.nagios.com/products/nagios-incident-manager/.

CVE(s)

Details

Root Cause Analysis

The Nagios XI API /nagiosxi/includes/components/nagiosim/nagiosim.php allows interaction with Nagios IM through the file nagiosxi/basedir/html/includes/components/nagiosim/nagiosim.php:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
<?php
[1] $token = grab_request_var('token', 'badtoken');
    [...]
[2] $xitoken = grab_array_var($settings, 'api_key', '');
    [...]
[3] if ($token == $xitoken) {
        handle_incident_update();
    } else {
        $msg = "Nagios IM Component - Unauthorized action. Bad Token.\n";
        send_to_audit_log($msg, AUDITLOGTYPE_SECURITY);
        die($msg);
    }

At [1] the token is read from the HTTP request, at [2] the registered API key is read from the database and at [3] they are checked to be equal. However this doesn’t take in account that by default there’s no api_key registered so it’s possible to pass the check via a void token.

An authenticated attacker can update arbitrary network incidents without the proper authorization.

Proof of Concept

  1. Log-in Nagios XI
  2. Navigate to [host]/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=update&token=&incident_id=1337 using the logged-in session
  3. Note the request replies with an error since incident_id is invalid, but authorization was valid.

Impact

An authenticated attacker can bypass the authorization checks and perform arbitrary actions on any network incident.

Remediation

Upgrade to Nagios IM 2.2.7 or later. (Note: we didn’t verify the patch.)

Disclosure Timeline

This report was subject to Shielder’s disclosure policy:

  • 25/02/2019:
    • Vulnerability report is sent to vendor
    • Vendor acknowledges issue and releases Nagios IM 2.2.7
  • 10/04/2019: Shielder’s advisory is made public

Credits

`polict` of Shielder

This advisory was first published on https://www.shielder.com/advisories/nagiosim-void-token-authorization-bypass/

Date

10 April 2019