• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Severe Hikvision HikCentral product flaws: What You Need to Know

 | 

U.S. CISA adds TP-Link Archer C7(EU) and TL-WR841N flaws to its Known Exploited Vulnerabilities catalog

 | 

Google addressed two Android flaws actively exploited in targeted attacks

 | 

U.S. CISA adds WhatsApp, and TP-link flaws to its Known Exploited Vulnerabilities catalog

 | 

Android droppers evolved into versatile tools to spread malware

 | 

Jaguar Land Rover shuts down systems after cyberattack, no evidence of customer data theft

 | 

Cloudflare blocked a record 11.5 Tbps DDoS attack

 | 

Palo Alto Networks disclosed a data breach linked to Salesloft Drift incident

 | 

Von der Leyen’s plane hit by suspected Russian GPS Jamming in Bulgaria, landed Safely

 | 

Supply-chain attack hits Zscaler via Salesloft Drift, leaking customer info

 | 

Crooks exploit Meta malvertising to target Android users with Brokewell

 | 

North Korea’s APT37 deploys RokRAT in new phishing campaign against academics

 | 

Fraudster stole over $1.5 million from city of Baltimore

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 60

 | 

Security Affairs newsletter Round 539 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Amazon blocks APT29 campaign targeting Microsoft device code authentication

 | 

Lab Dookhtegan hacking group disrupts communications on dozens of Iranian ships

 | 

New zero-click exploit allegedly used to hack WhatsApp users

 | 

US and Dutch Police dismantle VerifTools fake ID marketplace

 | 

Experts warn of actively exploited FreePBX zero-day

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Security
  • 13 flaws in Nagios IT Monitoring Software pose serious risk to orgs

13 flaws in Nagios IT Monitoring Software pose serious risk to orgs

Pierluigi Paganini May 24, 2021

Researchers disclosed details about 13 vulnerabilities in the Nagios network monitoring application that could be exploited for malicious purposes.

Cybersecurity researchers from Skylight Cyber disclosed technical details about 13 vulnerabilities in the Nagios network monitoring application that could be exploited by threat actors to hijack the infrastructure.

Nagios is an open-source IT infrastructure monitoring and alerting tool for mission-critical infrastructure components including applications, services, operating systems, network protocols, systems metrics, and network infrastructure.

The flaws discovered by the experts include Remote Code Execution issues and privilege escalation issues. Below the full vulnerabilities list:

  1. CVE-2020-28903 – XSS in Nagios XI when attacker has control over fused server.
  2. CVE-2020-28905 – Nagios Fusion authenticated remote code execution (from the context of low-privileges user).
  3. CVE-2020-28902 – Nagios Fusion privilege escalation from apache to nagios via command injection on timezone parameter in cmd_subsys.php.
  4. CVE-2020-28901 – Nagios Fusion privilege escalation from apache to nagios via command injection on component_dir parameter in cmd_subsys.php.
  5. CVE-2020-28904 – Nagios Fusion privilege escalation from apache to nagios via installation of malicious component.
  6. CVE-2020-28900 – Nagios Fusion and XI privilege escalation from nagios to root via upgrade_to_latest.sh.
  7. CVE-2020-28907 – Nagios Fusion privilege escalation from apache to root via upgrade_to_latest.sh and modification of proxy config.
  8. CVE-2020-28906 – Nagios Fusion and XI privilege escalation from nagios to root via modification of fusion-sys.cfg / xi-sys.cfg.
  9. CVE-2020-28909 – Nagios Fusion privilege escalation from nagios to root via modification of scripts that can execute as sudo.
  10. CVE-2020-28908 – Nagios Fusion privilege escalation from apache to nagios via command injection (caused by poor sanitization) in cmd_subsys.php.
  11. CVE-2020-28911 – Nagios Fusion information disclosure – low privileges user can discover passwords used to authenticate to fused servers.
  12. CVE-2020-28648 – Nagios XI authenticated remote code execution (from the context of low-privileges user).
  13. CVE-2020-28910 – Nagios XI getprofile.sh privilege escalation.

The researchers reported the flaws to Nagios in October 2020 and the company addressed them in November.

The most severe vulnerability, tracked as CVE-2020-28648, is an improper input validation issue that resides in the Auto-Discovery component of Nagios XI that could be exploited by an authenticated attacker to execute remote code. The flaw received a CVSS score of 8.8, it affects versions prior 5.7.5.

“The bug that allows for this vulnerability is the use of an unsanitised command line in the call to the exec() function. The exec function is a PHP built-in function that will run operating system shell commands. It takes at least one argument which is the command line string that will be executed. If we can control the command line argument passed to the exec function, we can execute arbitrary shell commands.” reads the post published by the researchers.

Experts aimed at demonstrating that once compromised the install at one of the customer sites, threat actors then can attack upstream to the telco’s network and then attack all the remaining customers using Nagios.

Nagios Network Monitoring

To do that, the researchers devised an attach chain composing of the following set of vulnerabilities and exploits:

  1. Gain root level code execution on the Nagios XI server at the compromised customer site using an RCE & Privilege Escalation.
  2. Taint the data returned to the Nagios Fusion to trigger an XSS.
  3. Use the session that triggered the XSS to compromise the Nagios Fusion server using an RCE and Priv. Esc.
  4. Gain credentials and exploit the “fused” XI servers at the remaining customer sites.

Threat actors could exploit the CVE-2020-28648 and CVE-2020-28910 vulnerabilities to achieve RCE and elevate privileges to “root” on the customer’s install. Once the attackers have compromised the Nagios Fusion install, they can send specially crafted data to the upstream Nagios Fusion server.

“The Nagios Fusion application periodically polls the fused Nagios XI servers to get information to display on various Fusion dashboards. The security model for doing this is inherently flawed since the Nagios Fusion will trust any data returned by the fused XI server.” continues the experts. “Since the data is trusted, the Nagios Fusion will display the information on various dashboards without sanitising the data. Therefore, by tainting data returned from the XI server under our control we can trigger Cross-Site Scripting and execute JavaScript code in the context of a Fusion user.”

Then the attackers gain RCE on the Fusion server by exploiting the CVE-2020-28905 issue and elevate permissions triggering the CVE-2020-28902 flaw to take over the Fusion server. Upon compromising the Fusion server the attackers can compromise the XI servers located at other customer sites.

Summarizing, vulnerabilities like the one discovered by the researchers could be exploited by threat actors in supply chain attacks that could have dramatic impact on the customers of the targeted organizations.

Experts pointed out that threat actors with sophisticated capabilities have the skills to easily discover vulnerabilities such as the ones they found in Nagios architecture.

“While the SolarWinds attack was very different, as the vendor itself was targeted, it emphasised again the shift towards attacking 3rd party technology hubs, rather than a single target.” concludes the experts. “If we could do it as a quick side project, imagine how simple this is for people who dedicate their whole time to develop these types of exploits. Compound that with the number of libraries, tools and vendors that are present and can be leveraged in a modern network, and we have a major issue on our hands.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Nagios network monitoring)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Cybersecurity cybersecurity news Hacking hacking news information security news Nagios Nagios network monitoring Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini September 04, 2025
Severe Hikvision HikCentral product flaws: What You Need to Know
Read more
Pierluigi Paganini September 04, 2025
U.S. CISA adds TP-Link Archer C7(EU) and TL-WR841N flaws to its Known Exploited Vulnerabilities catalog
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Severe Hikvision HikCentral product flaws: What You Need to Know

    Hacking / September 04, 2025

    U.S. CISA adds TP-Link Archer C7(EU) and TL-WR841N flaws to its Known Exploited Vulnerabilities catalog

    Hacking / September 04, 2025

    Crooks turn HexStrike AI into a weapon for fresh vulnerabilities

    Cyber Crime / September 03, 2025

    Google addressed two Android flaws actively exploited in targeted attacks

    Security / September 03, 2025

    U.S. CISA adds WhatsApp, and TP-link flaws to its Known Exploited Vulnerabilities catalog

    Hacking / September 03, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT