Nagios XI Magpie_debug.php Unauthenticated RCE
Description
Nagios XI versions prior to 5.5.7 contain a critical remote code execution vulnerability in the magpie_debug.php file, which is part of the bundled MagpieRSS library. The vulnerability stems from a flawed custom implementation of the Snoopy component that fails to properly sanitize user input before passing it to system commands. An unauthenticated attacker can exploit this flaw by sending a specially crafted HTTP GET request with a malicious 'url' parameter, allowing them to inject arbitrary arguments into the underlying 'curl' command. This command injection enables the attacker to write arbitrary files to any location accessible by the Apache web server user, leading to complete system compromise.
Remediation
Immediately upgrade to Nagios XI version 5.5.7 or later, which addresses this vulnerability. To remediate this issue:
1. Download the latest version of Nagios XI from the official Nagios website
2. Review the Nagios XI Change Log to understand all changes and prepare for the upgrade
3. Create a complete backup of your current Nagios XI installation and database
4. Follow the official Nagios XI upgrade procedure documented in the administration guide
5. After upgrading, verify that the magpie_debug.php file has been removed or properly secured
6. Review system logs for any suspicious activity or unauthorized access attempts prior to the upgrade
As a temporary mitigation if immediate patching is not possible, restrict access to the magpie_debug.php file by removing it or implementing web server access controls to block external access to this file.