Vulnerability Details : CVE-2019-15949
Public exploit exists!
Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the nagios user on the server, can modify the check_plugin executable and insert malicious commands to execute as root.
Products affected by CVE-2019-15949
- cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*
CVE-2019-15949 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Nagios XI Remote Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Nagios XI contains a remote code execution vulnerability in which a user can modify the check_plugin executable and insert malicious commands to execute as root.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2019-15949
Added on
2021-11-03
Action due date
2022-05-03
Exploit prediction scoring system (EPSS) score for CVE-2019-15949
87.19%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2019-15949
-
Nagios XI Scanner
First seen: 2021-03-26auxiliary/scanner/http/nagios_xi_scannerThe module detects the version of Nagios XI applications and suggests matching exploit modules based on the version number. Since Nagios XI applications only reveal the version to authenticated users, valid credentials for a Nagios XI account are required. Al -
Nagios XI Prior to 5.6.6 getprofile.sh Authenticated Remote Command Execution
Disclosure Date: 2019-07-29First seen: 2021-04-14exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rceThis module exploits a vulnerability in the getprofile.sh script of Nagios XI prior to 5.6.6 in order to upload a malicious check_ping plugin and thereby execute arbitrary commands. For Nagios XI 5.2.0-5.4.13, the commands are run as the nagios user. -
Nagios XI Authenticated Remote Command Execution
Disclosure Date: 2019-07-29First seen: 2020-04-26exploit/linux/http/nagios_xi_authenticated_rceexploit/linux/http/nagios_xi_authenticated_rce This module exploits a vulnerability in Nagios XI before 5.6.6 in order to execute arbitrary commands as root. The module uploads a malicious plugin to the Nagios XI server and then executes this plugin by issui
CVSS scores for CVE-2019-15949
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-02-04 |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2019-15949
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2019-15949
-
http://packetstormsecurity.com/files/162158/Nagios-XI-getprofile.sh-Remote-Command-Execution.html
Nagios XI getprofile.sh Remote Command Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://github.com/jakgibb/nagiosxi-root-rce-exploit
GitHub - jakgibb/nagiosxi-root-rce-exploit: POC which exploits a vulnerability within Nagios XI (5.6.5) to spawn a root shellExploit;Third Party Advisory
-
http://packetstormsecurity.com/files/156676/Nagios-XI-Authenticated-Remote-Command-Execution.html
Nagios XI Authenticated Remote Command Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
Jump to