Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the nagios user on the server, can modify the check_plugin executable and insert malicious commands to execute as root.
Published 2019-09-05 17:15:12
Updated 2021-04-15 21:16:29
Source MITRE
View at NVD,   CVE.org

CVE-2019-15949 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:
Nagios XI Remote Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Nagios XI contains a remote code execution vulnerability in which a user can modify the check_plugin executable and insert malicious commands to execute as root.
Added on 2021-11-03 Action due date 2022-05-03

Exploit prediction scoring system (EPSS) score for CVE-2019-15949

41.12%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2019-15949

  • Nagios XI Scanner
    First seen: 2021-03-26
    auxiliary/scanner/http/nagios_xi_scanner
    The module detects the version of Nagios XI applications and suggests matching exploit modules based on the version number. Since Nagios XI applications only reveal the version to authenticated users, valid credentials for a Nagios XI account are required. Al
  • Nagios XI Prior to 5.6.6 getprofile.sh Authenticated Remote Command Execution
    Disclosure Date: 2019-07-29
    First seen: 2021-04-14
    exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce
    This module exploits a vulnerability in the getprofile.sh script of Nagios XI prior to 5.6.6 in order to upload a malicious check_ping plugin and thereby execute arbitrary commands. For Nagios XI 5.2.0-5.4.13, the commands are run as the nagios user.
  • Nagios XI Authenticated Remote Command Execution
    Disclosure Date: 2019-07-29
    First seen: 2020-04-26
    exploit/linux/http/nagios_xi_authenticated_rce
    exploit/linux/http/nagios_xi_authenticated_rce This module exploits a vulnerability in Nagios XI before 5.6.6 in order to execute arbitrary commands as root. The module uploads a malicious plugin to the Nagios XI server and then executes this plugin by issui

CVSS scores for CVE-2019-15949

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
9.0
HIGH AV:N/AC:L/Au:S/C:C/I:C/A:C
8.0
10.0
NIST
8.8
HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2.8
5.9
NIST

CWE ids for CVE-2019-15949

References for CVE-2019-15949

Products affected by CVE-2019-15949

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!