Hacking

13 flaws in Nagios IT Monitoring Software pose serious risk to orgs

Researchers disclosed details about 13 vulnerabilities in the Nagios network monitoring application that could be exploited for malicious purposes.

Cybersecurity researchers from Skylight Cyber disclosed technical details about 13 vulnerabilities in the Nagios network monitoring application that could be exploited by threat actors to hijack the infrastructure.

Nagios is an open-source IT infrastructure monitoring and alerting tool for mission-critical infrastructure components including applications, services, operating systems, network protocols, systems metrics, and network infrastructure.

The flaws discovered by the experts include Remote Code Execution issues and privilege escalation issues. Below the full vulnerabilities list:

  1. CVE-2020-28903 – XSS in Nagios XI when attacker has control over fused server.
  2. CVE-2020-28905 – Nagios Fusion authenticated remote code execution (from the context of low-privileges user).
  3. CVE-2020-28902 – Nagios Fusion privilege escalation from apache to nagios via command injection on timezone parameter in cmd_subsys.php.
  4. CVE-2020-28901 – Nagios Fusion privilege escalation from apache to nagios via command injection on component_dir parameter in cmd_subsys.php.
  5. CVE-2020-28904 – Nagios Fusion privilege escalation from apache to nagios via installation of malicious component.
  6. CVE-2020-28900 – Nagios Fusion and XI privilege escalation from nagios to root via upgrade_to_latest.sh.
  7. CVE-2020-28907 – Nagios Fusion privilege escalation from apache to root via upgrade_to_latest.sh and modification of proxy config.
  8. CVE-2020-28906 – Nagios Fusion and XI privilege escalation from nagios to root via modification of fusion-sys.cfg / xi-sys.cfg.
  9. CVE-2020-28909 – Nagios Fusion privilege escalation from nagios to root via modification of scripts that can execute as sudo.
  10. CVE-2020-28908 – Nagios Fusion privilege escalation from apache to nagios via command injection (caused by poor sanitization) in cmd_subsys.php.
  11. CVE-2020-28911 – Nagios Fusion information disclosure – low privileges user can discover passwords used to authenticate to fused servers.
  12. CVE-2020-28648 – Nagios XI authenticated remote code execution (from the context of low-privileges user).
  13. CVE-2020-28910 – Nagios XI getprofile.sh privilege escalation.

The researchers reported the flaws to Nagios in October 2020 and the company addressed them in November.

The most severe vulnerability, tracked as CVE-2020-28648, is an improper input validation issue that resides in the Auto-Discovery component of Nagios XI that could be exploited by an authenticated attacker to execute remote code. The flaw received a CVSS score of 8.8, it affects versions prior 5.7.5.

“The bug that allows for this vulnerability is the use of an unsanitised command line in the call to the exec() function. The exec function is a PHP built-in function that will run operating system shell commands. It takes at least one argument which is the command line string that will be executed. If we can control the command line argument passed to the exec function, we can execute arbitrary shell commands.” reads the post published by the researchers.

Experts aimed at demonstrating that once compromised the install at one of the customer sites, threat actors then can attack upstream to the telco’s network and then attack all the remaining customers using Nagios.

To do that, the researchers devised an attach chain composing of the following set of vulnerabilities and exploits:

  1. Gain root level code execution on the Nagios XI server at the compromised customer site using an RCE & Privilege Escalation.
  2. Taint the data returned to the Nagios Fusion to trigger an XSS.
  3. Use the session that triggered the XSS to compromise the Nagios Fusion server using an RCE and Priv. Esc.
  4. Gain credentials and exploit the “fused” XI servers at the remaining customer sites.

Threat actors could exploit the CVE-2020-28648 and CVE-2020-28910 vulnerabilities to achieve RCE and elevate privileges to “root” on the customer’s install. Once the attackers have compromised the Nagios Fusion install, they can send specially crafted data to the upstream Nagios Fusion server.

“The Nagios Fusion application periodically polls the fused Nagios XI servers to get information to display on various Fusion dashboards. The security model for doing this is inherently flawed since the Nagios Fusion will trust any data returned by the fused XI server.” continues the experts. “Since the data is trusted, the Nagios Fusion will display the information on various dashboards without sanitising the data. Therefore, by tainting data returned from the XI server under our control we can trigger Cross-Site Scripting and execute JavaScript code in the context of a Fusion user.”

Then the attackers gain RCE on the Fusion server by exploiting the CVE-2020-28905 issue and elevate permissions triggering the CVE-2020-28902 flaw to take over the Fusion server. Upon compromising the Fusion server the attackers can compromise the XI servers located at other customer sites.

Summarizing, vulnerabilities like the one discovered by the researchers could be exploited by threat actors in supply chain attacks that could have dramatic impact on the customers of the targeted organizations.

Experts pointed out that threat actors with sophisticated capabilities have the skills to easily discover vulnerabilities such as the ones they found in Nagios architecture.

“While the SolarWinds attack was very different, as the vendor itself was targeted, it emphasised again the shift towards attacking 3rd party technology hubs, rather than a single target.” concludes the experts. “If we could do it as a quick side project, imagine how simple this is for people who dedicate their whole time to develop these types of exploits. Compound that with the number of libraries, tools and vendors that are present and can be leveraged in a modern network, and we have a major issue on our hands.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Nagios network monitoring)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

2 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

8 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

20 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.