The new Nagios Software bugs can allow hackers to compromise your IT infrastructures. Researchers have discovered 11 security vulnerabilities in Nagios network management systems. Some of the vulnerabilities are linked to achieving pre-authenticated remote code execution with the highest privileges, and also lead to credential theft and phishing attacks.
According to Claroty, an industrial cybersecurity firm, the flaws in tools such as Nagios make them an attractive target, as these tools give “oversight of core servers, devices, and other critical components in the enterprise network. The software company earlier addressed the issues in the earlier updates released in August with Nagios XI 5.8.5 or above, Nagios XI Switch Wizard 2.5.7 or above, Nagios XI Docker Wizard 1.13 or above, and Nagios XI WatchGuard 1.4.8 or above.
Claroty’s Noam Moshe in a write-up published Tuesday said, “SolarWinds and Kaseya were likely targeted not only because of their large and influential customer bases, but also because of their respective technologies’ access to enterprise networks, whether it was managing IT, operational technology (OT), or internet of things (IoT) devices.” This goes to show how intrusions targeting the IT and network management supply chains emerged as a conduit to compromise thousands of downstream victims.
SolarWinds Network Performance Monitor (NPM), used Nagios Core, a popular open-source network health tool to keep track of its IT infrastructure for performance issues and sending alerts following the failure of mission-critical components. While Nagios XI, a proprietary web-based platform built atop Nagios Core, offers organizations extended insight into their IT operations with scalable monitoring and users can also customize high-level overview of hosts, services, and network devices.
Nagios takes security seriously and reacts promptly to the numerous vulnerabilities in a timely manner. Has advised its users to use the latest versions available for their software. It has also mentioned the list of all available security fixes as a remedy for all the vulnerabilities mentioned below.
- CVE-2021-37343 (CVSS score: 8.8) – This vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post-authenticated RCE under the security context of the user running Nagios.
- CVE-2021-37344 (CVSS score: 9.8) – Nagios XI Switch Wizard before version 2.5.7 is vulnerable to remote code execution through improper neutralization of special elements used in an OS Command (OS Command injection).
- CVE-2021-37345 (CVSS score: 7.8) – Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because xi-sys.cfg is being imported from the var directory for some scripts with elevated permissions.
- CVE-2021-37346 (CVSS score: 9.8) – Nagios XI WatchGuard Wizard before version 1.4.8 is vulnerable to remote code execution through Improper neutralization of special elements used in an OS Command (OS Command injection).
- CVE-2021-37347 (CVSS score: 7.8) – Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because getprofile.sh does not validate the directory name it receives as an argument.
- CVE-2021-37348 (CVSS score: 7.5) – Nagios XI before version 5.8.5 is vulnerable to local file inclusion through an improper limitation of a pathname in index.php.
- CVE-2021-37349 (CVSS score: 7.8) – Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because cleaner.php does not sanitize input read from the database.
- CVE-2021-37350 (CVSS score: 9.8) – Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitization.
- CVE-2021-37351 (CVSS score: 5.3) – Nagios XI before version 5.8.5 is vulnerable to insecure permissions and allows unauthenticated users to access guarded pages through a crafted HTTP request to the server.
- CVE-2021-37352 (CVSS score: 6.1) – An open redirect vulnerability exists in Nagios XI before version 5.8.5 that could lead to spoofing. To exploit the vulnerability, an attacker could send a link that has a specially-crafted URL and convince the user to click the link.
- CVE-2021-37353 (CVSS score: 9.8) – Nagios XI Docker Wizard before version 1.1.3 is vulnerable to SSRF due to improper sanitization in table_population.php
Broadly speaking these flaws can enable bad actors to drop a web shell or execute PHP scripts and elevate their privileges to root. Gaining access to arbitrary command execution in the context of the root user. Claroty as a proof of concept linked CVE-2021-37343 and CVE-2021-37347 to gain a write-what-where primitive, allowing an attacker to write content to any file in the system.
Moshe said, “[Network management systems] require extensive trust and access to network components in order to properly monitor network behaviors and performance for failures and poor efficiency.”“They may also extend outside your network through the firewall to attend to remote servers and connections. Therefore, these centralized systems can be a tasty target for attackers who can leverage this type of network hub, and attempt to compromise it in order to access, manipulate, and disrupt other systems.”
This is the second time nearly dozens of vulnerabilities have been disclosed by Nagios. Skylight Cyber earlier in May revealed 13 security flaws in the network monitoring tool that could be exploited by bad actors to take control of the infrastructure without any user intervention.
CloudSEK Payment API Vulnerabilities Exposed Millions of Users
Europol Busts A Major Crime Ring more Than 100 Online Fraudsters Arrested
Google Will Auto-Reset Unused Android App Permissions for Billions of Devices