A critical vulnerability has been discovered in Nagios Log Server that allows any authenticated user, regardless of privilege level, to obtain administrative API keys in cleartext. Successful exploitation grants an attacker full administrative control over the log server, enabling them to view, alter, or delete sensitive log data, disrupt monitoring operations, and potentially pivot to other systems within the network.

This vulnerability is an improper access control and information disclosure flaw. An authenticated attacker, even with low-level privileges, can send a specially crafted request to the /nagioslogserver/index.php/api/system/get_users API endpoint. The server fails to properly authorize this request and responds with a list of all system users, including their cleartext API keys, which are intended for administrative use. An attacker can then use a retrieved administrative API key to perform any action on the Nagios Log Server with the highest level of privilege.

This vulnerability is rated as critical severity with a CVSS score of 9.9. Exploitation could lead to a complete compromise of the organization's central logging infrastructure. The business impact includes the potential loss of confidentiality, as an attacker can access sensitive information contained within logs; loss of integrity, as logs can be tampered with to hide malicious activity or create false trails; and loss of availability, as logs could be deleted, severely hampering security monitoring, incident response, and forensic investigations. A compromised log server can also be used as a staging point for further attacks across the corporate network.

Immediate Action: Immediately upgrade all instances of Nagios Log Server to version 2024R1.3.2 or later, as recommended by the vendor. After patching, it is critical to rotate all user API keys, especially for administrative accounts, as they may have been previously exposed.

Proactive Monitoring: Security teams should actively monitor web server and application access logs for any requests to the /nagioslogserver/index.php/api/system/get_users endpoint, particularly from non-administrative user accounts or untrusted IP addresses. Additionally, monitor for any unusual administrative activity performed via the API that does not correlate with legitimate administrative tasks.

Compensating Controls: If immediate patching is not feasible, apply the following controls to mitigate risk:

• Implement a Web Application Firewall (WAF) rule to block or alert on all access to the /nagioslogserver/index.php/api/system/get_users API endpoint.
• Restrict network access to the Nagios Log Server management interface, allowing connections only from a trusted administrative subnet.
• Temporarily disable non-essential user accounts until the patch can be applied to reduce the attack surface.

Public Exploit Available: false

Given the critical CVSS score of 9.9 and the ease of exploitation for any authenticated user, this vulnerability represents a severe and immediate risk to the organization. We strongly recommend prioritizing the deployment of the security update for Nagios Log Server to version 2024R1.3.2 or newer across all affected systems without delay. Following the update, a thorough review of access logs for signs of compromise and a mandatory rotation of all API keys should be conducted to ensure any potential pre-patch exposure is remediated.