Cybersecurity researchers disclosed aspects about 13 vulnerabilities in the Nagios community monitoring software that could be abused by an adversary to hijack the infrastructure with no any operator intervention.
“In a telco environment, where a telco is monitoring 1000’s of websites, if a consumer site is fully compromised, an attacker can use the vulnerabilities to compromise the telco, and then just about every other monitored shopper website,” Adi Ashkenazy, CEO of Australian cybersecurity organization Skylight Cyber, instructed The Hacker News by way of email.
Nagios is an open-resource IT infrastructure software analogous to SolarWinds Network Efficiency Monitor (NPM) that delivers monitoring and alerting companies for servers, community cards, programs, and products and services.
The challenges, which consist of a blend of authenticated remote code execution (RCE) and privilege escalation flaws, were found out and documented to Nagios in October 2020, subsequent which they ended up remediated in November.
Chief among them is CVE-2020-28648 (CVSS rating: 8.8), which worries an inappropriate input validation in the Vehicle-Discovery ingredient of Nagios XI that the researchers made use of as a leaping-off stage to trigger an exploit chain that strings together a whole of 5 vulnerabilities to attain a “impressive upstream assault.”
“Namely, if we, as attackers, compromise a consumer web site that is being monitored utilizing a Nagios XI server, we can compromise the telecommunications firm’s management server and every other consumer that is getting monitored,” the researchers reported in a produce-up printed previous week.
Put otherwise the attack scenario functions by targeting a Nagios XI server at the purchaser web site, using CVE-2020-28648 and CVE-2020-28910 to get RCE and elevate privileges to “root.” With the server now correctly compromised, the adversary can then send out tainted data to the upstream Nagios Fusion server which is utilized to offer centralized infrastructure-wide visibility by periodically polling the Nagios XI servers.
The researchers have also published a PHP-primarily based submit-exploitation software known as SoyGun that chains the vulnerabilities together and “will allow an attacker with Nagios XI user’s credentials and HTTP accessibility to the Nagios XI server to consider complete control of a Nagios Fusion deployment.”
A summary of the 13 vulnerabilities is stated under –
- CVE-2020-28648 – Nagios XI authenticated remote code execution (from the context of a reduced-privileged person)
- CVE-2020-28900 – Nagios Fusion and XI privilege escalation from nagios to root via upgrade_to_most up-to-date.sh
- CVE-2020-28901 – Nagios Fusion privilege escalation from apache to nagios through command injection on ingredient_dir parameter in cmd_subsys.php
- CVE-2020-28902 – Nagios Fusion privilege escalation from apache to nagios by using command injection on timezone parameter in cmd_subsys.php
- CVE-2020-28903 – XSS in Nagios XI when an attacker has manage around a fused server
- CVE-2020-28904 – Nagios Fusion privilege escalation from apache to nagios via the set up of malicious parts
- CVE-2020-28905 – Nagios Fusion authenticated distant code execution (from the context of minimal-privileges consumer)
- CVE-2020-28906 – Nagios Fusion and XI privilege escalation from nagios to root via modification of fusion-sys.cfg / xi-sys.cfg
- CVE-2020-28907 – Nagios Fusion privilege escalation from apache to root by using update_to_most recent.sh and modification of proxy config
- CVE-2020-28908 – Nagios Fusion privilege escalation from apache to nagios via command injection (triggered by inadequate sanitization) in cmd_subsys.php
- CVE-2020-28909 – Nagios Fusion privilege escalation from nagios to root through modification of scripts that can execute as sudo
- CVE-2020-28910 – Nagios XI getprofile.sh privilege escalation
- CVE-2020-28911 – Nagios Fusion data disclosure: Decrease privileged consumer can authenticate to fused server when credentials are stored
With SolarWinds falling target to a important supply chain assault very last 12 months, focusing on a network checking system like Nagios could empower a destructive actor to orchestrate intrusions into company networks, laterally broaden their entry across the IT community, and develop into an entry point for much more advanced threats.
“The quantity of hard work that was essential to uncover these vulnerabilities and exploit them is negligible in the context of sophisticated attackers, and particularly nation-states,” Ghanem mentioned.
“If we could do it as a fast aspect challenge, envision how straightforward this is for men and women who devote their full time to develop these varieties of exploits. Compound that with the range of libraries, instruments and vendors that are current and can be leveraged in a modern day network, and we have a significant situation on our hands.”