Nagios XI Shell Command Injection Vulnerability in Auto-Discovery Tool

A shell command injection vulnerability has been identified in Nagios XI versions prior to 2012R1.6, specifically within the Auto-Discovery tool. This vulnerability allows authenticated users with access to the discovery functionality to execute arbitrary commands. The issue arises because user-controlled input is passed to the shell without proper sanitation or argument quoting, enabling command execution with the privileges of the application service.

Impact

Exploitation of this vulnerability allows for authenticated users to execute arbitrary commands on the server with the application's privileges, potentially leading to unauthorized actions or access.

Reproduction

To reproduce this vulnerability, an authenticated user must access the Auto-Discovery tool in a version of Nagios XI prior to 2012R1.6. The user can then input data that is not properly sanitized, which will be executed as a shell command. This can be done by, for example, uploading a malicious script or using a command that the application will execute without proper validation.

Remediation

Users can upgrade to Nagios XI version 2012R1.6 or later, where this vulnerability has been fixed.