Posted on Leave a comment

New Remote Code Execution Vulnerability In Nagios Can Compromise Complete Network.

Security researchers from Claroty(Cyber security firm) had discovered new list of 11 vulnerabilities such as Remote code execution, SSRF, Local privilege escalation and other information disclosure vulnerabilities.

“The SolarWinds and Kaseya attacks were well-documented and devastating intrusions at the heart of IT and network management supply chains. In each case, alleged state actors were able to infiltrate the mechanisms used by the vendors to ship software updates to customers, and infect those updates with malware, including ransomware. In both cases, tens of thousands of customers installed compromised updates, and the trust both vendors built with customers was damaged”.

Nagios is an open source tool for monitoring IT infrastructure’s performance issues, event scheduling, processing, alerts, etc. Team82’s research from Claroty had identified 11 exploitable vulnerabilities, However the vendor has released patches for these vulnerabilities.

Vulnerabilities

  • CVE-2021-37353: Nagios XI Docker Wizard before version 1.1.3 is vulnerable to server-side request forgery (SSRF) due to improper sanitization in table_population.php
  • CVE-2021-37352: An open redirect vulnerability exists in Nagios XI before version 5.8.5 that could lead to spoofing. To exploit the vulnerability, an attacker could send a link that has a specially crafted URL, and convince the user to click the link.
  • CVE-2021-37351: Nagios XI before version 5.8.5 is vulnerable to insecure permissions and allows unauthenticated users to access guarded pages through a crafted HTTP request to the server.
  • CVE-2021-37350: Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in the Bulk Modifications Tool due to improper input sanitization.
  • CVE-2021-37349: Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because cleaner.php does not sanitize input read from the database.
  • CVE-2021-37348: Nagios XI before version 5.8.5 is vulnerable to local file inclusion through improper limitation of a pathname in index.php.
  • CVE-2021-37347: Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because getprofile.sh does not validate the directory name it receives as an argument.
  • CVE-2021-37346: Nagios XI WatchGuard Wizard before version 1.4.8 is vulnerable to remote code execution through Improper neutralization of special elements used in an OS command (OS Command injection).
  • CVE-2021-37345: Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because xi-sys.cfg is being imported from the /var directory for some scripts with elevated permissions.
  • CVE-2021-37344: Nagios XI Switch Wizard before version 2.5.7 is vulnerable to remote code execution through improper neutralization of special elements used in an OS command (OS Command injection).
  • CVE-2021-37343: A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post-authenticated RCE under the security context of the user running Nagios.

Below POC shows the vulnerability chain allowing remote code execution as root.

Claroty has released the recommendations for this vulnerabilities which are listed below:

  • TRUST: These systems require extensive trust and access to network components in order to properly monitor network behaviors and performance for failures and poor efficiency. They may also extend outside your network through the firewall to attend to remote servers and connections. Therefore, these centralized systems can be a tasty target for attackers who can leverage this type of network hub, and attempt to compromise it in order to access, manipulate, and disrupt other systems.
  • MONITOR: Access to the network management system should be closely monitored and limited to privileged insiders. All connections and activity should be monitored and alerted upon.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin.

Leave a Reply