Nagios XI vulnerabilities open up corporate IT infrastructure to attacks
Researchers have discovered 11 vulnerabilities affecting Nagios XI, a widely used corporate IT infrastructure / network monitoring solution, some of which can be chained to allow remote code execution with root privileges on the underlying system. .
Attackers are likely to try to exploit vulnerabilities in network management systems like Nagios, as they oversee critical network components and back-end servers and often contain many network secrets (for example, credentials, API tokens) so they can do their job, the Claroty researchers noted.
About Nagios Core and Nagios XI
Nagios Core is free and open source software that monitors systems, networks, and infrastructure.
Nagios XI is a proprietary user interface with Nagios Core as the back end and the addition of other advanced technologies and features for monitoring, alerts, charts and reporting.
The Nagios team boasts of its solutions used by thousands of organizations around the world, including Comcast, DHL, Shell and Toshiba.
Nagios XI vulnerabilities discovered
Numbered sequentially from CVE-2021-37343 through CVE-2021-37353, the vulnerabilities affect:
- Nagios XI before version 5.8.5
- Nagios XI change wizard before version 2.5.7
- Nagios XI Docker Wizard before version 1.13, and
- Nagios XI WatchGuard prior to version 1.4.8
CVE-2021-37343 allows, for example, an attacker to abuse a lack of controls to write a file in a web server directory and, thus, drop a webshell or execute PHP scripts, or write PHP code in a crontab and execute code in the Apache user context.
CVE-2021-37347, on the other hand, involves a vulnerable sudo script that allows users to elevate their privileges from Apache user (Nagios XI typically runs on an Apache web server) to root user.
The researchers created a proof of concept exploit to demonstrate how the two can be concatenated to achieve a reverse shell with root privileges.
The remaining vulnerabilities can be used to mount server-side query forgery (SSRF) attacks, perform URL spoofing, SQL injection, etc.
Patches are available
The good news is that the vulnerabilities have all been fixed: the Nagios team has released a security update for Nagios XI, Nagios XI Docker Wizard, Nagios XI WatchGuard Wizard, and Nagios XI Switch Wizard, and administrators are encouraged to update them. apply as soon as possible.
In addition to this, they urge them to limit access to the network management system to only privileged insiders and to closely monitor access and activity on it.