New Nagios software bugs could allow hackers to take over IT infrastructure

No less than 11 security vulnerabilities have been disclosed in Nagios network management systems, some of which could be chained to achieve pre-authenticated remote code execution with the highest privileges, as well as lead to theft of credentials and phishing attacks.

Industrial cybersecurity firm Claroty, which discovered the flaws, said flaws in tools like Nagios make it an attractive target because of their “oversight of back-end servers, devices, and other critical network components. ‘business”. The issues have since been addressed in updates released in August with Nagios XI 5.8.5 or higher, Nagios XI Switch Wizard 2.5.7 or higher, Nagios XI Docker Wizard 1.13 or higher, and Nagios XI WatchGuard 1.4.8 or higher.

“SolarWinds and Kaseya have likely been targeted not only because of their large and influential customer base, but also because of their respective technologies’ access to corporate networks, whether it’s managing IT, operational technology (OT) or the Internet of Things (IoT) peripherals, ”said Noam Moshe of Claroty in an article published Tuesday, highlighting how intrusions targeting IT and networking supply chains are emerged as a means of compromising thousands of downstream victims.

Nagios Core is a popular open source network health tool analogous to SolarWinds Network Performance Monitor (NPM) which is used to keep an eye on the IT infrastructure for performance issues and send alerts following failure of critical components. Nagios XI, a proprietary web-based platform built on top of Nagios Core, provides organizations with a broad overview of their IT operations with scalable monitoring and a high-level, customizable overview of hosts, services, and network devices.

The main issues are two remote code execution flaws (CVE-2021-37344, CVE-2021-37346) in Nagios XI Switch Wizard and Nagios XI WatchGuard Wizard, SQL injection vulnerability (CVE-2021-37350) in Nagios XI, and a server-side query (SSRF) forgery affecting the Nagios XI Docker assistant, as well as a post-authenticated RCE in the Nagios XI Autodiscover tool (CVE-2021-37343). The full list of the 11 faults is as follows –

• CVE-2021-37343 (CVSS score: 8.8) – A path traversal vulnerability exists in Nagios XI under the AutoDiscovery component of version 5.8.5 and could lead to a post-authenticated RCE in the security context of the user running Nagios.
• CVE-2021-37344 (CVSS score: 9.8) – Nagios XI Switch Assistant prior to version 2.5.7 is vulnerable to remote code execution through improper overriding of special elements used in an OS command (OS command injection).
• CVE-2021-37345 (CVSS score: 7.8) – Nagios XI prior to version 5.8.5 is vulnerable to elevation of local privilege because xi-sys.cfg is imported from var directory for some scripts with elevated permissions.
• CVE-2021-37346 (CVSS score: 9.8) – Nagios XI WatchGuard Assistant prior to version 1.4.8 is vulnerable to remote code execution through improper overriding of special items used in an OS command (OS command injection) .
• CVE-2021-37347 (CVSS score: 7.8) – Nagios XI prior to version 5.8.5 is vulnerable to local elevation of privilege because getprofile.sh does not validate the directory name it receives as an argument.
• CVE-2021-37348 (CVSS score: 7.5) – Nagios XI prior to version 5.8.5 is vulnerable to inclusion of local files via incorrect limitation of a pathname in index.php.
• CVE-2021-37349 (CVSS score: 7.8) – Nagios XI prior to version 5.8.5 is vulnerable to elevation of local privileges because Cleaner.php does not clean up entries read from the database.
• CVE-2021-37350 (CVSS score: 9.8) – Nagios XI prior to version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Edit Tool due to improper cleanup of entries.
• CVE-2021-37351 (CVSS score: 5.3) – Nagios XI prior to version 5.8.5 is vulnerable to insecure permissions and allows unauthenticated users to access protected pages through a specially crafted HTTP request to the server.
• CVE-2021-37352 (CVSS score: 6.1) – An open redirect vulnerability existed in Nagios XI prior to version 5.8.5 which could lead to spoofing. To exploit the vulnerability, an attacker could send a link containing a specially crafted URL and convince the user to click on the link.
• CVE-2021-37353 (CVSS score: 9.8) – Nagios XI Docker Assistant before version 1.1.3 is vulnerable to SSRF due to incorrect disinfection in table_population.php

In a nutshell, the flaws could be combined by attackers to suppress a web shell or execute PHP scripts and elevate their privileges to root, thus realizing the execution of arbitrary commands in the context of the root user. As a proof of concept, Claroty chained CVE-2021-37343 and CVE-2021-37347 to obtain a what-where write primitive, allowing an attacker to write content to any file on the system.

“[Network management systems] require extensive trust and access to network components in order to properly monitor the behavior and performance of the network in the event of failure and efficiency, ”said Moshe.

“They can also extend outside your network through the firewall to take care of remote servers and connections. Therefore, these centralized systems can be an attractive target for attackers who can exploit this type of. network hub and attempt to compromise it in order to access, manipulate and disrupt other systems. “

This is the second time that nearly a dozen vulnerabilities have been disclosed in Nagios since the start of the year. Earlier in May, Skylight Cyber ​​revealed 13 security weaknesses in the network monitoring application that could be exploited by an adversary to hijack infrastructure without any operator intervention.