Critical Flaws Affecting Nagios Network Monitoring Software

nagios network monitoring

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Cybersecurity researchers disclosed details about 13 vulnerabilities in the Nagios network monitoring application that could be abused by an adversary to hijack the infrastructure without any operator intervention.

“In a telco setting, where a telco is monitoring thousands of sites, if a customer site is fully compromised, an attacker can use the vulnerabilities to compromise the telco, and then every other monitored customer site,” Adi Ashkenazy, CEO of Australian cybersecurity firm Skylight Cyber, told The Hacker News via email.

Nagios is an open-source IT infrastructure tool analogous to SolarWinds Network Performance Monitor (NPM) that offers monitoring and alerting services for servers, network cards, applications, and services.

The issues, which consist of a mix of authenticated remote code execution (RCE) and privilege escalation flaws, were discovered and reported to Nagios in October 2020, following which they were remediated in November.

Chief among them is CVE-2020-28648 (CVSS score: 8.8), which concerns an improper input validation in the Auto-Discovery component of Nagios XI that the researchers used as a jumping-off point to trigger an exploit chain that strings together a total of five vulnerabilities to achieve a “powerful upstream attack.”

“Namely, if we, as attackers, compromise a customer site that is being monitored using a Nagios XI server, we can compromise the telecommunications company’s management server and every other customer that is being monitored,” the researchers said in a write-up published last week.

Put differently; the attack scenario works by targeting a Nagios XI server at the customer site, using CVE-2020-28648 and CVE-2020-28910 to gain RCE and elevate privileges to “root.” With the server now effectively compromised, the adversary can then send tainted data to the upstream Nagios Fusion server that’s used to provide centralized infrastructure-wide visibility by periodically polling the Nagios XI servers.

“By tainting data returned from the XI server under our control we can trigger Cross-Site Scripting [CVE-2020-28903] and execute JavaScript code in the context of a Fusion user,” Skylight Cyber researcher Samir Ghanem said.

The next phase of the attack leverages this ability to run arbitrary JavaScript code on the Fusion server to obtain RCE (CVE-2020-28905) and subsequently elevate permissions (CVE-2020-28902) to seize control of the Fusion server and, ultimately, break into XI servers located at other customer sites.

The researchers have also published a PHP-based post-exploitation tool called SoyGun that chains the vulnerabilities together and “allows an attacker with Nagios XI user’s credentials and HTTP access to the Nagios XI server to take full control of a Nagios Fusion deployment.”

A summary of the 13 vulnerabilities is listed below –

  • CVE-2020-28648 – Nagios XI authenticated remote code execution (from the context of a low-privileged user)
  • CVE-2020-28900 – Nagios Fusion and XI privilege escalation from nagios to root via
  • CVE-2020-28901 – Nagios Fusion privilege escalation from apache to nagios via command injection on component_dir parameter in cmd_subsys.php
  • CVE-2020-28902 – Nagios Fusion privilege escalation from apache to nagios via command injection on timezone parameter in cmd_subsys.php
  • CVE-2020-28903 – XSS in Nagios XI when an attacker has control over a fused server
  • CVE-2020-28904 – Nagios Fusion privilege escalation from apache to nagios via the installation of malicious components
  • CVE-2020-28905 – Nagios Fusion authenticated remote code execution (from the context of low-privileges user)
  • CVE-2020-28906 – Nagios Fusion and XI privilege escalation from nagios to root via modification of fusion-sys.cfg / xi-sys.cfg
  • CVE-2020-28907 – Nagios Fusion privilege escalation from apache to root via and modification of proxy config
  • CVE-2020-28908 – Nagios Fusion privilege escalation from apache to nagios via command injection (caused by poor sanitization) in cmd_subsys.php
  • CVE-2020-28909 – Nagios Fusion privilege escalation from nagios to root via modification of scripts that can execute as sudo
  • CVE-2020-28910 – Nagios XI privilege escalation
  • CVE-2020-28911 – Nagios Fusion information disclosure: Lower privileged user can authenticate to fused server when credentials are stored

With SolarWinds falling victim to a major supply chain attack last year, targeting a platform like Nagios network monitoring could enable a malicious actor to orchestrate intrusions into corporate networks, laterally expand their access across the IT network, and become an entry point for more sophisticated threats.

“The amount of effort that was required to find these vulnerabilities and exploit them is negligible in the context of sophisticated attackers, and specifically nation-states,” Ghanem said.

“If we could do it as a quick side project, imagine how simple this is for people who dedicate their whole time to develop these types of exploits. Compound that with the number of libraries, tools and vendors that are present and can be leveraged in a modern network, and we have a major issue on our hands.”

This article was first found in The Hacker News

Subscribe To Our Newsletter

More To Explore

Wanna take it to the next level?

drop us a line and let's get started

We're Here To help

Feel free to contact us, and we’ll be more than happy to answer all of your questions.

a2Da Digital

a2Da Digital is a brand of a2Da Enterprises

Ahtri 12
10151 Tallinn, Estonia

[email protected]

+372 712 4283
Hours : 08:00 to 18:00 Mon – Fri
Support 24×7 Submit a Ticket Here
Registered in Tallinn, EE : 14740580
VAT : EE102279616

By completing this form, you consent to a2Da Digital, in its capacity as data controller, collecting your data in order to be able to respond to your message. To assert your right of access or removal, see our Privacy Policy.

Notre entreprise est un collectif de personnes extraordinaires dont le seul objectif est de construire les solutions dont vous avez besoin.

Des interlocuteurs disponibles, compétents et à votre disposition pour vous aider à définir vos besoins et les traduire en outils performants et faciles à utiliser.

Nous répondons à vos demandes au plus vite de manière claire et compréhensible.

Contactez nous à [email protected] avec vos questions.

Nous maintenons nous même notre matériel 24/7 et avons construit une infrastructure sécurisée, efficace et fiable.

Ceci nous permet de vous proposer des produits adaptés à tous les budgets et à forte valeur ajoutée.

Nous ne revendons pas des packs d’hébergement… Nous disposons de nos propres serveurs, maintenus, mis à jour et gérés par nos propres équipes.