CVE-2021-37343
published 2021-08-13CVE-2021-37343: A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post authenticated RCE under security context…
PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
23.82%
97.5th percentile
A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post authenticated RCE under security context of the user running Nagios.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nagios | nagios_xi | < 5.8.5 | 5.8.5 |
Detection & IOCsextracted from sources · hover to see the quote
url/nagiosxi/includes/components/autodiscovery/?mode=newjob
bytes
job=|2e 2e 2f|
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI Post-Auth Path Traversal (CVE-2021-37343)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/nagiosxi/includes/components/autodiscovery/?mode=newjob"; fast_pattern; http.request_body; content:"job=|2e 2e 2f|"; reference:url,claroty.com/2021/09/21/blog-research-securing-network-management-systems-nagios-xi/; reference:cve,2021-37343; classtype:attempted-admin; sid:2034017; rev:2; metadata:affected_product Nagios, created_at 2021_09_23, cve CVE_2021_37343, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
- →Look for POST requests to the AutoDiscovery endpoint with a path traversal sequence (URL-encoded `../`) in the `job` body parameter, indicating exploitation of the newjob mode.
- →The exploit creates an autodiscovery job where the `id` field contains a path traversal to a writable and remotely accessible directory, and the `custom_ports` field contains the PHP web shell payload. ↗
- →A cron file is created on disk at the attacker-controlled path with the web shell embedded; monitor for unexpected PHP files written to web-accessible directories by the Nagios process. ↗
- →Post-exploitation execution context is `www-data`; alert on unexpected outbound connections or shell spawns from the web server process after a successful upload. ↗
- →Use the Nagios XI Scanner module to fingerprint the installed version; versions below 5.8.5 are vulnerable and should be prioritised for patching or network-level blocking. ↗
- ·Exploitation requires prior authentication as an administrator; unauthenticated access alone is insufficient to trigger the path traversal. ↗
- ·The Snort/ET rule (sid:2034017) targets inbound traffic to $HOME_NET/$HTTP_SERVERS; ensure these variables are correctly scoped to cover Nagios XI hosts, otherwise the rule will not fire.
- ·The Metasploit module deletes the web shell and removes the autodiscovery job after use by default, which may limit forensic artefacts available post-compromise. ↗
- ·Version detection via the scanner module requires valid Nagios XI credentials; without them, the version must be supplied manually via the `VERSION` option, reducing automation accuracy. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Nagios XI Post-Auth Path Traversal (CVE-2021-37343)
suricata·2021-09-23·CVSS 8.8
CVE-2021-37343 [HIGH] ET EXPLOIT Nagios XI Post-Auth Path Traversal (CVE-2021-37343)
ET EXPLOIT Nagios XI Post-Auth Path Traversal (CVE-2021-37343)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI Post-Auth Path Traversal (CVE-2021-37343)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/nagiosxi/includes/components/autodiscovery/?mode=newjob"; fast_pattern; http.request_body; content:"job=|2e 2e 2f|"; reference:url,claroty.com/2021/09/21/blog-research-securing-network-management-systems-nagios-xi/; reference:cve,2021-37343; classtype:attempted-admin; sid:2034017; rev:2; metadata:affected_product Nagios, created_at 2021_09_23, cve CVE_2021_37343, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11
Metasploit
Nagios XI Autodiscovery Webshell Upload
metasploit·CVSS 8.8
CVE-2021-37343 [HIGH] Nagios XI Autodiscovery Webshell Upload
Nagios XI Autodiscovery Webshell Upload
This module exploits a path traversal issue in Nagios XI before version 5.8.5 (CVE-2021-37343). The path traversal allows a remote and authenticated administrator to upload a PHP web shell and execute code as `www-data`. The module achieves this by creating an autodiscovery job with an `id` field containing a path traversal to a writable and remotely accessible directory, and `custom_ports` field containing the web shell. A cron file will be created using the chosen path and file name, and the web shell is embedded in the file. After the web shell has been written to the victim, this module will then use the web shell to establish a Meterpreter session or a reverse shell. By default, the web shell is deleted by the module, and the autodiscovery job
Metasploit
Nagios XI Scanner
metasploit
Nagios XI Scanner
Nagios XI Scanner
The module detects the version of Nagios XI applications and suggests matching exploit modules based on the version number. Since Nagios XI applications only reveal the version to authenticated users, valid credentials for a Nagios XI account are required. Alternatively, it is possible to provide a specific Nagios XI version number via the `VERSION` option. In that case, the module simply suggests matching exploit modules and does not probe the target(s).
No writeups or analysis indexed.
2021-08-13
Published