Critical Flaws Affecting Nagios Network Monitoring Software

nagios network monitoring

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Cybersecurity researchers disclosed details about 13 vulnerabilities in the Nagios network monitoring application that could be abused by an adversary to hijack the infrastructure without any operator intervention.

“In a telco setting, where a telco is monitoring thousands of sites, if a customer site is fully compromised, an attacker can use the vulnerabilities to compromise the telco, and then every other monitored customer site,” Adi Ashkenazy, CEO of Australian cybersecurity firm Skylight Cyber, told The Hacker News via email.

Nagios is an open-source IT infrastructure tool analogous to SolarWinds Network Performance Monitor (NPM) that offers monitoring and alerting services for servers, network cards, applications, and services.

The issues, which consist of a mix of authenticated remote code execution (RCE) and privilege escalation flaws, were discovered and reported to Nagios in October 2020, following which they were remediated in November.

Chief among them is CVE-2020-28648 (CVSS score: 8.8), which concerns an improper input validation in the Auto-Discovery component of Nagios XI that the researchers used as a jumping-off point to trigger an exploit chain that strings together a total of five vulnerabilities to achieve a “powerful upstream attack.”

“Namely, if we, as attackers, compromise a customer site that is being monitored using a Nagios XI server, we can compromise the telecommunications company’s management server and every other customer that is being monitored,” the researchers said in a write-up published last week.

Put differently; the attack scenario works by targeting a Nagios XI server at the customer site, using CVE-2020-28648 and CVE-2020-28910 to gain RCE and elevate privileges to “root.” With the server now effectively compromised, the adversary can then send tainted data to the upstream Nagios Fusion server that’s used to provide centralized infrastructure-wide visibility by periodically polling the Nagios XI servers.

“By tainting data returned from the XI server under our control we can trigger Cross-Site Scripting [CVE-2020-28903] and execute JavaScript code in the context of a Fusion user,” Skylight Cyber researcher Samir Ghanem said.

The next phase of the attack leverages this ability to run arbitrary JavaScript code on the Fusion server to obtain RCE (CVE-2020-28905) and subsequently elevate permissions (CVE-2020-28902) to seize control of the Fusion server and, ultimately, break into XI servers located at other customer sites.

The researchers have also published a PHP-based post-exploitation tool called SoyGun that chains the vulnerabilities together and “allows an attacker with Nagios XI user’s credentials and HTTP access to the Nagios XI server to take full control of a Nagios Fusion deployment.”

A summary of the 13 vulnerabilities is listed below –

  • CVE-2020-28648 – Nagios XI authenticated remote code execution (from the context of a low-privileged user)
  • CVE-2020-28900 – Nagios Fusion and XI privilege escalation from nagios to root via upgrade_to_latest.sh
  • CVE-2020-28901 – Nagios Fusion privilege escalation from apache to nagios via command injection on component_dir parameter in cmd_subsys.php
  • CVE-2020-28902 – Nagios Fusion privilege escalation from apache to nagios via command injection on timezone parameter in cmd_subsys.php
  • CVE-2020-28903 – XSS in Nagios XI when an attacker has control over a fused server
  • CVE-2020-28904 – Nagios Fusion privilege escalation from apache to nagios via the installation of malicious components
  • CVE-2020-28905 – Nagios Fusion authenticated remote code execution (from the context of low-privileges user)
  • CVE-2020-28906 – Nagios Fusion and XI privilege escalation from nagios to root via modification of fusion-sys.cfg / xi-sys.cfg
  • CVE-2020-28907 – Nagios Fusion privilege escalation from apache to root via upgrade_to_latest.sh and modification of proxy config
  • CVE-2020-28908 – Nagios Fusion privilege escalation from apache to nagios via command injection (caused by poor sanitization) in cmd_subsys.php
  • CVE-2020-28909 – Nagios Fusion privilege escalation from nagios to root via modification of scripts that can execute as sudo
  • CVE-2020-28910 – Nagios XI getprofile.sh privilege escalation
  • CVE-2020-28911 – Nagios Fusion information disclosure: Lower privileged user can authenticate to fused server when credentials are stored

With SolarWinds falling victim to a major supply chain attack last year, targeting a platform like Nagios network monitoring could enable a malicious actor to orchestrate intrusions into corporate networks, laterally expand their access across the IT network, and become an entry point for more sophisticated threats.

“The amount of effort that was required to find these vulnerabilities and exploit them is negligible in the context of sophisticated attackers, and specifically nation-states,” Ghanem said.

“If we could do it as a quick side project, imagine how simple this is for people who dedicate their whole time to develop these types of exploits. Compound that with the number of libraries, tools and vendors that are present and can be leveraged in a modern network, and we have a major issue on our hands.”

This article was first found in The Hacker News

Subscribe To Our Newsletter

More To Explore

Wanna take it to the next level?

drop us a line and let's get started

We're Here To help

Feel free to contact us, and we’ll be more than happy to answer all of your questions.

a2Da Digital

a2Da Digital is a brand of a2Da Enterprises

ERHUB
Ahtri 12
10151 Tallinn, Estonia

[email protected]

+372 712 4283
Hours : 08:00 to 18:00 Mon – Fri
Support 24×7 Submit a Ticket Here
Registered in Tallinn, EE : 14740580
VAT : EE102279616

By completing this form, you consent to a2Da Digital, in its capacity as data controller, collecting your data in order to be able to respond to your message. To assert your right of access or removal, see our Privacy Policy.

Our company is a collective of amazing people striving to build solutions you need.

Actual people, easy to contact and who know what they are doing, these are the members of the team you will deal with.
We all speak French and English and will be able to answer all your questions as quickly as possible.
Just drop an email at [email protected] with your question.

We have both eyes on our equipment, update and maintain it ourselves 24/7 and have constructed an architecture that we believe is sound, secured, efficient and cost effective. We own our servers, we do not resell hosting packages!