Science & Technology

Details disclosed about critical flaws affecting Nagios IT monitoring software

Cybersecurity researchers have disclosed details about 13 vulnerabilities in Nagios network monitoring applications. These vulnerabilities could be exploited by an attacker to hijack the infrastructure without operator intervention.

“In a telco setting where the telco monitors thousands of sites, if the customer’s site is completely compromised, an attacker could exploit the vulnerability to breach the telco and then be monitored. It can compromise all other customer sites, “said Adi Ashkenazy, CEO of Cyber ​​Security, Australia. The company’s Skylight Cyber ​​told The Hacker News by email.

Nagios is an open source IT infrastructure tool similar to SolarWinds Network Performance Monitor (NPM) that provides monitoring and alerting services for servers, network cards, applications, and services.

A mixed issue of authenticated remote code execution (RCE) and privilege escalation flaws was discovered and reported to Nagios in October 2020, after which Correction To November..

Password auditor

Among them, the chief CVE-2020-28648 (CVSS score: 8.8), this is Auto-discovery component Nagios XI, which researchers used as a starting point to trigger an exploit chain that connects a total of five vulnerabilities to achieve a “powerful upstream attack.”

“That is, if an attacker compromises a monitored customer site using the Nagios XI server, it could compromise the carrier’s management server and all other monitored customers,” the researchers said. Says. Said In an article published last week.

In other words; the attack scenario uses CVE-2020-28648 and CVE-2020-28910 to obtain RCE, elevate privileges to “root” and target the Nagios XI server at the customer site. It works by. An attacker can send contaminated data to an upstream Nagios Fusion server while the server is effectively compromised. This server is used to centralize visibility across the infrastructure by polling the Nagios XI server on a regular basis.

“We can trigger cross-site scripting by polluting the data returned by our controlled XI servers. [CVE-2020-28903] Executes JavaScript code in the context of Fusion users, “said Skylight Cyber ​​researcher Samir Ghanem.

In the next phase of the attack, this feature can be used to execute arbitrary JavaScript code on the Fusion server to obtain RCE (CVE-2020-28905) and then elevate permissions (CVE-2020-28902). And take control of the Fusion server. Invade XI servers at other customer sites.

Researchers have also published what is called a PHP-based post-exploit tool. Soy Gun This chains the vulnerabilities and “allows an attacker with Nagios XI user credentials and HTTP access to the Nagios XI server to have full control over the deployment of Nagios Fusion.”

Below is a summary of the 13 vulnerabilities-

  • CVE-2020-28648 -Nagios XI authenticated remote code execution (from the context of a less privileged user)
  • CVE-2020-28900 -Nagios Fusion and XI privilege promotion nagios To root Via upgrade_to_latest.sh
  • CVE-2020-28901 -Nagios Fusion privilege promotion apache To nagios Via command injection to the component_dir parameter in cmd_subsys.php
  • CVE-2020-28902 -Nagios Fusion privilege promotion apache To nagios Via command injection in the timezone parameter of cmd_subsys.php
  • CVE-2020-28903 -Nagios XI XSS when an attacker controls a fusion server
  • CVE-2020-28904 -Nagios Fusion privilege promotion apache To nagios Through the installation of malicious components
  • CVE-2020-28905 -Nagios Fusion authenticated remote code execution (from the context of a less privileged user)
  • CVE-2020-28906 -Nagios Fusion and XI privilege promotion nagios To root Due to changes in Fusion-sys.cfg /xi-sys.cfg
  • CVE-2020-28907 -Nagios Fusion privilege promotion apache To root Through upgrade_to_latest.sh and changing proxy settings
  • CVE-2020-28908 -Nagios Fusion privilege promotion apache To nagios Via command injection in cmd_subsys.php (caused by inadequate sanitization)
  • CVE-2020-28909 -Nagios Fusion privilege promotion nagios To root Through script changes that can be run as sudo
  • CVE-2020-28910 -Nagios XIgetprofile.sh Privilege Elevation
  • CVE-2020-28911 -Disclosure of Nagios Fusion Information: Unprivileged users can authenticate to the fusion server if their credentials are stored

When SolarWinds Targeting network monitoring platforms like Nagios, victims of large-scale supply chain attacks last year, malicious attackers coordinated intrusions into corporate networks and laterally gained access to the entire IT network. It can grow and become a gateway to more advanced threats.

“The effort required to find and exploit these vulnerabilities is negligible in the context of advanced attackers, especially nation-states,” Ghanem said.

“Imagine how easy this would be for people who spend all their time developing these types of exploits if they could do it as a quickside project. Of the libraries, tools and vendors that exist and are available. Combine it with numbers. It’s a modern network and we have a big problem in our hands. “



Details disclosed about critical flaws affecting Nagios IT monitoring software

http://feedproxy.google.com/~r/TheHackersNews/~3/VgTYVbIPz7I/details-disclosed-on-critical-flaws.html Details disclosed about critical flaws affecting Nagios IT monitoring software

Back to top button