Cybersecurity researchers disclosed particulars about 13 vulnerabilities within the Nagios community monitoring software that may very well be abused by an adversary to hijack the infrastructure with none operator intervention.

“In a telco setting, the place a telco is monitoring 1000’s of web sites, if a buyer website is absolutely compromised, an attacker can use the vulnerabilities to compromise the telco, after which each different monitored buyer website,” Adi Ashkenazy, CEO of Australian cybersecurity agency Skylight Cyber, advised The Hacker Information through e-mail.

Nagios is an open-source IT infrastructure software analogous to SolarWinds Community Efficiency Monitor (NPM) that gives monitoring and alerting companies for servers, community playing cards, purposes, and companies.

The problems, which encompass a mixture of authenticated distant code execution (RCE) and privilege escalation flaws, had been found and reported to Nagios in October 2020, following which they had been remediated in November.

password auditor

Chief amongst them is CVE-2020-28648 (CVSS rating: 8.8), which issues an improper enter validation within the Auto-Discovery component of Nagios XI that the researchers used as a jumping-off level to set off an exploit chain that strings collectively a complete of 5 vulnerabilities to realize a “highly effective upstream assault.”

“Specifically, if we, as attackers, compromise a buyer website that’s being monitored utilizing a Nagios XI server, we are able to compromise the telecommunications firm’s administration server and each different buyer that’s being monitored,” the researchers said in a write-up revealed final week.

Put otherwise; the assault state of affairs works by focusing on a Nagios XI server on the buyer website, utilizing CVE-2020-28648 and CVE-2020-28910 to achieve RCE and elevate privileges to “root.” With the server now successfully compromised, the adversary can then ship tainted knowledge to the upstream Nagios Fusion server that is used to supply centralized infrastructure-wide visibility by periodically polling the Nagios XI servers.

“By tainting knowledge returned from the XI server below our management we are able to set off Cross-Web site Scripting [CVE-2020-28903] and execute JavaScript code within the context of a Fusion consumer,” Skylight Cyber researcher Samir Ghanem mentioned.

The subsequent section of the assault leverages this potential to run arbitrary JavaScript code on the Fusion server to acquire RCE (CVE-2020-28905) and subsequently elevate permissions (CVE-2020-28902) to grab management of the Fusion server and, finally, break into XI servers situated at different buyer websites.

The researchers have additionally revealed a PHP-based post-exploitation software known as SoyGun that chains the vulnerabilities collectively and “permits an attacker with Nagios XI consumer’s credentials and HTTP entry to the Nagios XI server to take full management of a Nagios Fusion deployment.”

A abstract of the 13 vulnerabilities is listed under –

  • CVE-2020-28648 – Nagios XI authenticated distant code execution (from the context of a low-privileged consumer)
  • CVE-2020-28900 – Nagios Fusion and XI privilege escalation from nagios to root through
  • CVE-2020-28901 – Nagios Fusion privilege escalation from apache to nagios through command injection on component_dir parameter in cmd_subsys.php
  • CVE-2020-28902 – Nagios Fusion privilege escalation from apache to nagios through command injection on timezone parameter in cmd_subsys.php
  • CVE-2020-28903 – XSS in Nagios XI when an attacker has management over a fused server
  • CVE-2020-28904 – Nagios Fusion privilege escalation from apache to nagios through the set up of malicious elements
  • CVE-2020-28905 – Nagios Fusion authenticated distant code execution (from the context of low-privileges consumer)
  • CVE-2020-28906 – Nagios Fusion and XI privilege escalation from nagios to root through modification of fusion-sys.cfg / xi-sys.cfg
  • CVE-2020-28907 – Nagios Fusion privilege escalation from apache to root through and modification of proxy config
  • CVE-2020-28908 – Nagios Fusion privilege escalation from apache to nagios through command injection (attributable to poor sanitization) in cmd_subsys.php
  • CVE-2020-28909 – Nagios Fusion privilege escalation from nagios to root through modification of scripts that may execute as sudo
  • CVE-2020-28910 – Nagios XI privilege escalation
  • CVE-2020-28911 – Nagios Fusion data disclosure: Decrease privileged consumer can authenticate to fused server when credentials are saved

With SolarWinds falling sufferer to a serious provide chain assault final yr, focusing on a community monitoring platform like Nagios might allow a malicious actor to orchestrate intrusions into company networks, laterally increase their entry throughout the IT community, and develop into an entry level for extra subtle threats.

“The quantity of effort that was required to seek out these vulnerabilities and exploit them is negligible within the context of subtle attackers, and particularly nation-states,” Ghanem mentioned.

“If we might do it as a fast aspect venture, think about how easy that is for individuals who dedicate their entire time to develop a majority of these exploits. Compound that with the variety of libraries, instruments and distributors which can be current and may be leveraged in a contemporary community, and now we have a serious subject on our arms.”

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.