Particulars Disclosed On Vital Flaws Affecting Nagios IT Monitoring Software program


Cybersecurity researchers disclosed particulars about 13 vulnerabilities within the Nagios community monitoring software that may very well be abused by an adversary to hijack the infrastructure with none operator intervention.

“In a telco setting, the place a telco is monitoring 1000’s of web sites, if a buyer web site is absolutely compromised, an attacker can use the vulnerabilities to compromise the telco, after which each different monitored buyer web site,” Adi Ashkenazy, CEO of Australian cybersecurity agency Skylight Cyber, advised The Hacker Information by way of electronic mail.

Nagios is an open-source IT infrastructure instrument analogous to SolarWinds Community Efficiency Monitor (NPM) that gives monitoring and alerting providers for servers, community playing cards, purposes, and providers.

The problems, which include a mixture of authenticated distant code execution (RCE) and privilege escalation flaws, have been found and reported to Nagios in October 2020, following which they have been remediated in November.

password auditor

Chief amongst them is CVE-2020-28648 (CVSS rating: 8.8), which considerations an improper enter validation within the Auto-Discovery component of Nagios XI that the researchers used as a jumping-off level to set off an exploit chain that strings collectively a complete of 5 vulnerabilities to realize a “highly effective upstream assault.”

“Specifically, if we, as attackers, compromise a buyer web site that’s being monitored utilizing a Nagios XI server, we are able to compromise the telecommunications firm’s administration server and each different buyer that’s being monitored,” the researchers said in a write-up printed final week.

Put in a different way; the assault situation works by concentrating on a Nagios XI server on the buyer web site, utilizing CVE-2020-28648 and CVE-2020-28910 to achieve RCE and elevate privileges to “root.” With the server now successfully compromised, the adversary can then ship tainted knowledge to the upstream Nagios Fusion server that is used to supply centralized infrastructure-wide visibility by periodically polling the Nagios XI servers.

“By tainting knowledge returned from the XI server underneath our management we are able to set off Cross-Website Scripting [CVE-2020-28903] and execute JavaScript code within the context of a Fusion consumer,” Skylight Cyber researcher Samir Ghanem mentioned.

The subsequent section of the assault leverages this capability to run arbitrary JavaScript code on the Fusion server to acquire RCE (CVE-2020-28905) and subsequently elevate permissions (CVE-2020-28902) to grab management of the Fusion server and, finally, break into XI servers situated at different buyer websites.

The researchers have additionally printed a PHP-based post-exploitation instrument referred to as SoyGun that chains the vulnerabilities collectively and “permits an attacker with Nagios XI consumer’s credentials and HTTP entry to the Nagios XI server to take full management of a Nagios Fusion deployment.”

A abstract of the 13 vulnerabilities is listed beneath –

  • CVE-2020-28648 – Nagios XI authenticated distant code execution (from the context of a low-privileged consumer)
  • CVE-2020-28900 – Nagios Fusion and XI privilege escalation from nagios to root by way of upgrade_to_latest.sh
  • CVE-2020-28901 – Nagios Fusion privilege escalation from apache to nagios by way of command injection on component_dir parameter in cmd_subsys.php
  • CVE-2020-28902 – Nagios Fusion privilege escalation from apache to nagios by way of command injection on timezone parameter in cmd_subsys.php
  • CVE-2020-28903 – XSS in Nagios XI when an attacker has management over a fused server
  • CVE-2020-28904 – Nagios Fusion privilege escalation from apache to nagios by way of the set up of malicious elements
  • CVE-2020-28905 – Nagios Fusion authenticated distant code execution (from the context of low-privileges consumer)
  • CVE-2020-28906 – Nagios Fusion and XI privilege escalation from nagios to root by way of modification of fusion-sys.cfg / xi-sys.cfg
  • CVE-2020-28907 – Nagios Fusion privilege escalation from apache to root by way of upgrade_to_latest.sh and modification of proxy config
  • CVE-2020-28908 – Nagios Fusion privilege escalation from apache to nagios by way of command injection (brought on by poor sanitization) in cmd_subsys.php
  • CVE-2020-28909 – Nagios Fusion privilege escalation from nagios to root by way of modification of scripts that may execute as sudo
  • CVE-2020-28910 – Nagios XI getprofile.sh privilege escalation
  • CVE-2020-28911 – Nagios Fusion info disclosure: Decrease privileged consumer can authenticate to fused server when credentials are saved

With SolarWinds falling sufferer to a serious provide chain assault final yr, concentrating on a community monitoring platform like Nagios might allow a malicious actor to orchestrate intrusions into company networks, laterally broaden their entry throughout the IT community, and change into an entry level for extra subtle threats.

“The quantity of effort that was required to seek out these vulnerabilities and exploit them is negligible within the context of subtle attackers, and particularly nation-states,” Ghanem mentioned.

“If we might do it as a fast aspect venture, think about how easy that is for individuals who dedicate their entire time to develop all these exploits. Compound that with the variety of libraries, instruments and distributors which can be current and might be leveraged in a contemporary community, and we now have a serious subject on our fingers.”





Source link