CVE-2018-15710
published 2018-11-14CVE-2018-15710: Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php.
PriorityP262high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
44.09%
98.6th percentile
Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nagios | nagios_xi | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for sudo execution of autodiscover_new.php with shell metacharacters (`;`, backticks, `>&`) in the --addresses argument, indicating command injection exploitation of CVE-2018-15710. ↗
- →Alert on HTTP GET requests to /nagiosxi/includes/dashlets/rss_dashlet/magpierss/scripts/magpie_debug.php with a 'url' parameter containing '-o ' (curl output flag), indicating attempted webshell write via CVE-2018-15708. ↗
- →Detect creation of new .php files under /usr/local/nagvis/share/ or /var/www/html/nagiosql/ by the apache user, which are writable drop locations used by the exploit chain. ↗
- →Detect creation of .nse files in /var/tmp/ followed by sudo nmap --script execution, an alternative privilege escalation path used in the exploit. ↗
- →Monitor for outbound /dev/tcp reverse shell connections spawned by php or nmap processes running as root, consistent with successful privilege escalation. ↗
- ·The privilege escalation is only possible because /etc/sudoers grants passwordless sudo to both 'nagios' and 'apache' users for autodiscover_new.php. Verify and harden sudoers entries as a detection baseline check. ↗
- ·autodiscover_new.php is protected by Source Guardian obfuscation, preventing static code analysis; detection must rely on behavioral/black-box indicators rather than source-level signatures. ↗
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9c6w-376x-8h5p: Nagios XI 5
ghsa_unreviewed·2022-05-13
CVE-2018-15710 [HIGH] CWE-78 GHSA-9c6w-376x-8h5p: Nagios XI 5
Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php.
OSV
apache2 vulnerabilities
osv·2018-04-19·CVSS 7.5
CVE-2017-15710 apache2 vulnerabilities
apache2 vulnerabilities
Alex Nichols and Jakob Hirsch discovered that the Apache HTTP Server
mod_authnz_ldap module incorrectly handled missing charset encoding
headers. A remote attacker could possibly use this issue to cause the
server to crash, resulting in a denial of service. (CVE-2017-15710)
Elar Lang discovered that the Apache HTTP Server incorrectly handled
certain characters specified in . A remote attacker could
possibly use this issue to upload certain files, contrary to expectations.
(CVE-2017-15715)
It was discovered that the Apache HTTP Server mod_session module
incorrectly handled certain headers. A remote attacker could possibly use
this issue to influence session data. (CVE-2018-1283)
Robert Swiecki discovered that the Apache HTTP Server incorrectly handled
certain req
No detection rules found.
Exploit-DB
Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution (Metasploit)
exploitdb·2019-06-26·CVSS 9.8
CVE-2018-15710 [CRITICAL] Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution (Metasploit)
Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule "Nagios XI Magpie_debug.php Root Remote Code Execution",
'Description' => %q{
This module exploits two vulnerabilities in Nagios XI 5.5.6:
CVE-2018-15708 which allows for unauthenticated remote code execution
and CVE 2018–15710 which allows for local privilege escalation.
When combined, these two vulnerabilities give us a root reverse shell.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Chris Lyne (@lynerc)', # First working exploit
'Guillaume André (@yaumn_)' # Metasploit module
],
'References' =>
[
['CVE', '2018-15708'],
['CVE', '2018-15710'],
['EDB'
Exploit-DB
Nagios XI 5.5.6 - Remote Code Execution / Privilege Escalation
exploitdb·2019-01-23·CVSS 9.8
CVE-2018-15710 [CRITICAL] Nagios XI 5.5.6 - Remote Code Execution / Privilege Escalation
Nagios XI 5.5.6 - Remote Code Execution / Privilege Escalation
---
# Exploit Title: Nagios XI 5.5.6 Remote Code Execution and Privilege Escalation
# Date: 2019-01-22
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: https://www.nagios.com/
# Product: Nagios XI
# Software Link: https://assets.nagios.com/downloads/nagiosxi/5/xi-5.5.6.tar.gz
# Version: From 2012r1.0 to 5.5.6
# Tested on:
# - CentOS Linux 7.5.1804 (Core) / Kernel 3.10.0 / This was a vendor-provided .OVA file
# - Nagios XI 2012r1.0, 5r1.0, and 5.5.6
# CVE: CVE-2018-15708, CVE-2018-15710
#
# See Also:
# https://www.tenable.com/security/research/tra-2018-37
# https://medium.com/tenable-techblog/rooting-nagios-via-outdated-libraries-bb79427172
#
# This code exploits both CVE-2018-15708 and CVE-2018-15710 to pop a root re
Metasploit
Nagios XI Magpie_debug.php Root Remote Code Execution
metasploit·CVSS 9.8
CVE-2018-15708 [CRITICAL] Nagios XI Magpie_debug.php Root Remote Code Execution
Nagios XI Magpie_debug.php Root Remote Code Execution
This module exploits two vulnerabilities in Nagios XI <= 5.5.6: CVE-2018-15708 which allows for unauthenticated remote code execution and CVE-2018-15710 which allows for local privilege escalation. When combined, these two vulnerabilities allow execution of arbitrary commands as root.
http://packetstormsecurity.com/files/153433/Nagios-XI-Magpie_debug.php-Root-Remote-Code-Execution.htmlhttps://www.exploit-db.com/exploits/46221/https://www.tenable.com/security/research/tra-2018-37http://packetstormsecurity.com/files/153433/Nagios-XI-Magpie_debug.php-Root-Remote-Code-Execution.htmlhttps://www.exploit-db.com/exploits/46221/https://www.tenable.com/security/research/tra-2018-37
2018-11-14
Published