Pierluigi Paganini May 24, 2021

Researchers disclosed details about 13 vulnerabilities in the Nagios network monitoring application that could be exploited for malicious purposes.

Cybersecurity researchers from Skylight Cyber disclosed technical details about 13 vulnerabilities in the Nagios network monitoring application that could be exploited by threat actors to hijack the infrastructure.

Nagios is an open-source IT infrastructure monitoring and alerting tool for mission-critical infrastructure components including applications, services, operating systems, network protocols, systems metrics, and network infrastructure.

The flaws discovered by the experts include Remote Code Execution issues and privilege escalation issues. Below the full vulnerabilities list:

1. CVE-2020-28903 – XSS in Nagios XI when attacker has control over fused server.
2. CVE-2020-28905 – Nagios Fusion authenticated remote code execution (from the context of low-privileges user).
3. CVE-2020-28902 – Nagios Fusion privilege escalation from apache to nagios via command injection on timezone parameter in cmd_subsys.php.
4. CVE-2020-28901 – Nagios Fusion privilege escalation from apache to nagios via command injection on component_dir parameter in cmd_subsys.php.
5. CVE-2020-28904 – Nagios Fusion privilege escalation from apache to nagios via installation of malicious component.
6. CVE-2020-28900 – Nagios Fusion and XI privilege escalation from nagios to root via upgrade_to_latest.sh.
7. CVE-2020-28907 – Nagios Fusion privilege escalation from apache to root via upgrade_to_latest.sh and modification of proxy config.
8. CVE-2020-28906 – Nagios Fusion and XI privilege escalation from nagios to root via modification of fusion-sys.cfg / xi-sys.cfg.
9. CVE-2020-28909 – Nagios Fusion privilege escalation from nagios to root via modification of scripts that can execute as sudo.
10. CVE-2020-28908 – Nagios Fusion privilege escalation from apache to nagios via command injection (caused by poor sanitization) in cmd_subsys.php.
11. CVE-2020-28911 – Nagios Fusion information disclosure – low privileges user can discover passwords used to authenticate to fused servers.
12. CVE-2020-28648 – Nagios XI authenticated remote code execution (from the context of low-privileges user).
13. CVE-2020-28910 – Nagios XI getprofile.sh privilege escalation.

The researchers reported the flaws to Nagios in October 2020 and the company addressed them in November.

The most severe vulnerability, tracked as CVE-2020-28648, is an improper input validation issue that resides in the Auto-Discovery component of Nagios XI that could be exploited by an authenticated attacker to execute remote code. The flaw received a CVSS score of 8.8, it affects versions prior 5.7.5.

“The bug that allows for this vulnerability is the use of an unsanitised command line in the call to the exec() function. The exec function is a PHP built-in function that will run operating system shell commands. It takes at least one argument which is the command line string that will be executed. If we can control the command line argument passed to the exec function, we can execute arbitrary shell commands.” reads the post published by the researchers.

Experts aimed at demonstrating that once compromised the install at one of the customer sites, threat actors then can attack upstream to the telco’s network and then attack all the remaining customers using Nagios.

To do that, the researchers devised an attach chain composing of the following set of vulnerabilities and exploits:

1. Gain root level code execution on the Nagios XI server at the compromised customer site using an RCE & Privilege Escalation.
2. Taint the data returned to the Nagios Fusion to trigger an XSS.
3. Use the session that triggered the XSS to compromise the Nagios Fusion server using an RCE and Priv. Esc.
4. Gain credentials and exploit the “fused” XI servers at the remaining customer sites.

Threat actors could exploit the CVE-2020-28648 and CVE-2020-28910 vulnerabilities to achieve RCE and elevate privileges to “root” on the customer’s install. Once the attackers have compromised the Nagios Fusion install, they can send specially crafted data to the upstream Nagios Fusion server.

“The Nagios Fusion application periodically polls the fused Nagios XI servers to get information to display on various Fusion dashboards. The security model for doing this is inherently flawed since the Nagios Fusion will trust any data returned by the fused XI server.” continues the experts. “Since the data is trusted, the Nagios Fusion will display the information on various dashboards without sanitising the data. Therefore, by tainting data returned from the XI server under our control we can trigger Cross-Site Scripting and execute JavaScript code in the context of a Fusion user.”

Then the attackers gain RCE on the Fusion server by exploiting the CVE-2020-28905 issue and elevate permissions triggering the CVE-2020-28902 flaw to take over the Fusion server. Upon compromising the Fusion server the attackers can compromise the XI servers located at other customer sites.

Summarizing, vulnerabilities like the one discovered by the researchers could be exploited by threat actors in supply chain attacks that could have dramatic impact on the customers of the targeted organizations.

Experts pointed out that threat actors with sophisticated capabilities have the skills to easily discover vulnerabilities such as the ones they found in Nagios architecture.

“While the SolarWinds attack was very different, as the vendor itself was targeted, it emphasised again the shift towards attacking 3rd party technology hubs, rather than a single target.” concludes the experts. “If we could do it as a quick side project, imagine how simple this is for people who dedicate their whole time to develop these types of exploits. Compound that with the number of libraries, tools and vendors that are present and can be leveraged in a modern network, and we have a major issue on our hands.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Nagios network monitoring)

[adrotate banner=”5″]

[adrotate banner=”13″]