25 Might 2021 at 09:57 UTC
Up to date: 25 Might 2021 at 09:59 UTC
Medium-impact flaws mixed to create ‘upstream assault platform’
Safety researchers have detailed how a sequence of average severity vulnerabilities in IT monitoring know-how Nagios could possibly be chained collectively to assault organizations on a grand scale.
Researchers at Australian safety consultancy Skylight found a complete of 13 safety flaws in Nagios, a broadly used open supply IT monitoring software corresponding to SolarWinds.
The failings in Nagios XI and Nagios Fusion servers have been reported to the seller, who addressed the vulnerabilities final October.
Examine your monitor
The Nagios vulnerabilities found by Skylight contain a cross-site scripting (XSS) flaw, a sequence of privilege escalation flaw, an data disclosure bug, and an authenticated distant code execution difficulty.
Skylight acknowledges the requirement for an attacker to be authenticated in a technical write-up that describes the failings as a “few lame(ish) vulnerabilities in Nagios”.
Nonetheless, dismissing the failings as inconsequential could be a mistake as a result of the researchers have been in a position to chain collectively a collection of these vulnerabilities to assault the monitoring infrastructure of a telco or different service supplier (offering they’re able to first break into the Nagios-related techniques of certainly one of its customers).
SolarWinds’ replace mechanism was compromised to hold out a high-profile hack against US government agencies and others final yr, so flaws in any related know-how, corresponding to Nagios, benefit elevated scrutiny.
Skylight’s Adi Ashkenazy advised The Day by day Swig: “When chaining collectively 5 of the vulnerabilities, an attacker can [compromise] your entire monitoring infrastructure with none operator intervention.”
“In a telco setting, the place a telco is monitoring hundreds of websites, if a buyer’s web site is totally compromised, an attacker can use the vulnerabilities to compromise the telco, after which each different monitored buyer web site,” Ashkenazy added.
Skylight has developed a post-exploitation software known as SoyGun that chains the vulnerabilities and automates the method of breaking into weak Nagios techniques.
The software was launched to the penetration testing group as an open supply undertaking.
The Day by day Swig is but to obtain a response to a request for remark from Nagios and on follow-up inquiries to Skylight on these now-patched bugs. We’ll replace this story as and when extra data comes at hand.