Nagios XI Remote Code Execution Vulnerability in Business Process Intelligence Component

A remote code execution vulnerability exists in Nagios XI versions prior to 2024R1.4.2, specifically within the Business Process Intelligence (BPI) component. This vulnerability arises from inadequate validation and sanitization of BPI configuration parameters controlled by administrators, particularly 'bpi_logfile' and 'bpi_configfile'. An authenticated administrative user can exploit this flaw to create or overwrite files in the webroot, which can then be edited using the BPI configuration editor. If these files have executable extensions and are served by the web application, arbitrary code could be executed as the Nagios XI web application user, potentially leading to further control over the host operating system.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the same privileges as the web application user. This could be leveraged to gain additional control over the operating system.

Reproduction

To reproduce this vulnerability, an authenticated administrative user can access the BPI component and manipulate the 'bpi_logfile' and 'bpi_configfile' parameters. By uploading a file with an executable extension through these parameters and then using the BPI configuration editor to execute the file, arbitrary code execution can be achieved.

Remediation

Users can upgrade to Nagios XI version 2024R1.4.2 or later to address this vulnerability.