[BreachExchange] New Nagios Software Bugs Could Let Hackers Take Over IT Infrastructures

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Wed Sep 22 08:45:09 EDT 2021


https://thehackernews.com/2021/09/new-nagios-software-bugs-could-let.html

As many as 11 security vulnerabilities have been disclosed in Nagios
network management systems, some of which could be chained to achieve
pre-authenticated remote code execution with the highest privileges, as
well as lead to credential theft and phishing attacks.

Industrial cybersecurity firm Claroty, which discovered the flaws, said
flaws in tools such as Nagios make them an attractive target owing to their
"oversight of core servers, devices, and other critical components in the
enterprise network." The issues have since been fixed in updates released
in August with Nagios XI 5.8.5 or above, Nagios XI Switch Wizard 2.5.7 or
above, Nagios XI Docker Wizard 1.13 or above, and Nagios XI WatchGuard
1.4.8 or above.

"SolarWinds and Kaseya were likely targeted not only because of their large
and influential customer bases, but also because of their respective
technologies' access to enterprise networks, whether it was managing IT,
operational technology (OT), or internet of things (IoT) devices,"
Claroty's Noam Moshe said in a write-up published Tuesday, noting how the
intrusions targeting the IT and network management supply chains emerged as
a conduit to compromise thousands of downstream victims.

Nagios Core is a popular open-source network health tool analogous to
SolarWinds Network Performance Monitor (NPM) that's used for keeping tabs
on IT infrastructure for performance issues and sending alerts following
the failure of mission-critical components. Nagios XI, a proprietary
web-based platform built atop Nagios Core, provides organizations with
extended insight into their IT operations with scalable monitoring and a
customizable high-level overview of hosts, services, and network devices.

Chief among the issues are two remote code execution flaws (CVE-2021-37344,
CVE-2021-37346) in Nagios XI Switch Wizard and Nagios XI WatchGuard Wizard,
an SQL injection vulnerability (CVE-2021-37350) in Nagios XI, and a
server-side request forgery (SSRF) affecting Nagios XI Docker Wizard, as
well as a post-authenticated RCE in Nagios XI's Auto-Discovery tool. The
complete list of 11 flaws is as follows -

   - CVE-2021-37343 (CVSS score: 8.8) - A path traversal vulnerability
   exists in Nagios XI below version 5.8.5 AutoDiscovery component and could
   lead to post-authenticated RCE under the security context of the user
   running Nagios.
   - CVE-2021-37344 (CVSS score: 9.8) - Nagios XI Switch Wizard before
   version 2.5.7 is vulnerable to remote code execution through improper
   neutralization of special elements used in an OS Command (OS Command
   injection).
   - CVE-2021-37345 (CVSS score: 7.8) - Nagios XI before version 5.8.5 is
   vulnerable to local privilege escalation because xi-sys.cfg is being
   imported from the var directory for some scripts with elevated permissions.
   - CVE-2021-37346 (CVSS score: 9.8) - Nagios XI WatchGuard Wizard before
   version 1.4.8 is vulnerable to remote code execution through Improper
   neutralization of special elements used in an OS Command (OS Command
   injection).
   - CVE-2021-37347 (CVSS score: 7.8) - Nagios XI before version 5.8.5 is
   vulnerable to local privilege escalation because getprofile.sh does not
   validate the directory name it receives as an argument.
   - CVE-2021-37348 (CVSS score: 7.5) - Nagios XI before version 5.8.5 is
   vulnerable to local file inclusion through an improper limitation of a
   pathname in index.php.
   - CVE-2021-37349 (CVSS score: 7.8) - Nagios XI before version 5.8.5 is
   vulnerable to local privilege escalation because cleaner.php does not
   sanitize input read from the database.
   - CVE-2021-37350 (CVSS score: 9.8) - Nagios XI before version 5.8.5 is
   vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to
   improper input sanitization.
   - CVE-2021-37351 (CVSS score: 5.3) - Nagios XI before version 5.8.5 is
   vulnerable to insecure permissions and allows unauthenticated users to
   access guarded pages through a crafted HTTP request to the server.
   - CVE-2021-37352 (CVSS score: 6.1) - An open redirect vulnerability
   exists in Nagios XI before version 5.8.5 that could lead to spoofing. To
   exploit the vulnerability, an attacker could send a link that has a
   specially-crafted URL and convince the user to click the link.
   - CVE-2021-37353 (CVSS score: 9.8) - Nagios XI Docker Wizard before
   version 1.1.3 is vulnerable to SSRF due to improper sanitization in
   table_population.php

In a nutshell, the flaws could be combined by attackers to drop a web shell
or execute PHP scripts and elevate their privileges to root, thus achieving
arbitrary command execution in the context of the root user. As a
proof-of-concept, Claroty chained CVE-2021-37343 and CVE-2021-37347 to gain
a write-what-where primitive, allowing an attacker to write content to any
file in the system.

"[Network management systems] require extensive trust and access to network
components in order to properly monitor network behaviors and performance
for failures and poor efficiency," Moshe said.

"They may also extend outside your network through the firewall to attend
to remote servers and connections. Therefore, these centralized systems can
be a tasty target for attackers who can leverage this type of network hub,
and attempt to compromise it in order to access, manipulate, and disrupt
other systems."

The disclosure is the second time nearly dozen vulnerabilities have been
disclosed in Nagios. Earlier this May, Skylight Cyber revealed 13 security
weaknesses in the network monitoring application that could be abused by an
adversary to hijack the infrastructure without any operator intervention.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210922/75157902/attachment.html>


More information about the BreachExchange mailing list