Cybersecurity researchers disclosed particulars about 13 vulnerabilities within the Nagios community monitoring utility that may very well be abused by an adversary to hijack the infrastructure with none operator intervention.
“In a telco setting, the place a telco is monitoring hundreds of web sites, if a buyer website is absolutely compromised, an attacker can use the vulnerabilities to compromise the telco, after which each different monitored buyer website,” Adi Ashkenazy, CEO of Australian cybersecurity agency Skylight Cyber, advised The Hacker Information by way of electronic mail.
Nagios is an open-source IT infrastructure software analogous to SolarWinds Community Efficiency Monitor (NPM) that gives monitoring and alerting providers for servers, community playing cards, purposes, and providers.
The problems, which encompass a mixture of authenticated distant code execution (RCE) and privilege escalation flaws, have been found and reported to Nagios in October 2020, following which they have been remediated in November.
Chief amongst them is CVE-2020-28648 (CVSS rating: 8.8), which issues an improper enter validation within the Auto-Discovery component of Nagios XI that the researchers used as a jumping-off level to set off an exploit chain that strings collectively a complete of 5 vulnerabilities to attain a “highly effective upstream assault.”
“Specifically, if we, as attackers, compromise a buyer website that’s being monitored utilizing a Nagios XI server, we will compromise the telecommunications firm’s administration server and each different buyer that’s being monitored,” the researchers said in a write-up revealed final week.
Put in a different way; the assault state of affairs works by concentrating on a Nagios XI server on the buyer website, utilizing CVE-2020-28648 and CVE-2020-28910 to achieve RCE and elevate privileges to “root.” With the server now successfully compromised, the adversary can then ship tainted information to the upstream Nagios Fusion server that is used to offer centralized infrastructure-wide visibility by periodically polling the Nagios XI servers.
The researchers have additionally revealed a PHP-based post-exploitation software referred to as SoyGun that chains the vulnerabilities collectively and “permits an attacker with Nagios XI consumer’s credentials and HTTP entry to the Nagios XI server to take full management of a Nagios Fusion deployment.”
A abstract of the 13 vulnerabilities is listed beneath –
- CVE-2020-28648 – Nagios XI authenticated distant code execution (from the context of a low-privileged consumer)
- CVE-2020-28900 – Nagios Fusion and XI privilege escalation from nagios to root by way of upgrade_to_latest.sh
- CVE-2020-28901 – Nagios Fusion privilege escalation from apache to nagios by way of command injection on component_dir parameter in cmd_subsys.php
- CVE-2020-28902 – Nagios Fusion privilege escalation from apache to nagios by way of command injection on timezone parameter in cmd_subsys.php
- CVE-2020-28903 – XSS in Nagios XI when an attacker has management over a fused server
- CVE-2020-28904 – Nagios Fusion privilege escalation from apache to nagios by way of the set up of malicious parts
- CVE-2020-28905 – Nagios Fusion authenticated distant code execution (from the context of low-privileges consumer)
- CVE-2020-28906 – Nagios Fusion and XI privilege escalation from nagios to root by way of modification of fusion-sys.cfg / xi-sys.cfg
- CVE-2020-28907 – Nagios Fusion privilege escalation from apache to root by way of upgrade_to_latest.sh and modification of proxy config
- CVE-2020-28908 – Nagios Fusion privilege escalation from apache to nagios by way of command injection (brought on by poor sanitization) in cmd_subsys.php
- CVE-2020-28909 – Nagios Fusion privilege escalation from nagios to root by way of modification of scripts that may execute as sudo
- CVE-2020-28910 – Nagios XI getprofile.sh privilege escalation
- CVE-2020-28911 – Nagios Fusion data disclosure: Decrease privileged consumer can authenticate to fused server when credentials are saved
With SolarWinds falling sufferer to a serious provide chain assault final 12 months, concentrating on a community monitoring platform like Nagios may allow a malicious actor to orchestrate intrusions into company networks, laterally broaden their entry throughout the IT community, and turn into an entry level for extra subtle threats.
“The quantity of effort that was required to search out these vulnerabilities and exploit them is negligible within the context of subtle attackers, and particularly nation-states,” Ghanem stated.
“If we may do it as a fast facet challenge, think about how easy that is for individuals who dedicate their complete time to develop a lot of these exploits. Compound that with the variety of libraries, instruments and distributors which are current and may be leveraged in a contemporary community, and now we have a serious challenge on our fingers.”