Thursday, December 5, 2024
HomeCVE/vulnerability13 Vulnerabilities in Nagios Server Let Hackers Compromises The IT Infrastructure

13 Vulnerabilities in Nagios Server Let Hackers Compromises The IT Infrastructure

Published on

SIEM as a Service

Nagios is popular open-source software that is mainly used for monitoring computer systems and IT networks, but, recently, 13 critical vulnerabilities were detected in Nagios XI and Nagios Fusion servers by the security analysts at Skylight Cyber.

The exploitation of these vulnerabilities could allow an attacker to compromise an IT network of an organization without any intervention of the operator.

However, Nagios gets a report regarding the privilege escalation flaws as well as the authenticated remote code execution (RCE) in October 2020, and later Nagios has rectified the flaws in November 2020.

- Advertisement - SIEM as a Service

Detecting a vulnerability is not that easy, but the security researchers at Skylight Cyber have claimed that they have identified these 13 vulnerabilities in just one day.

The analysts are now trying to find such vulnerabilities, that will eventually help them in compromising the very large Nagios deployment.

But apart from all these things, the initial requirement is the set of vulnerabilities and exploits to compromise the large Nagios deployment, and here they are mentioned below:-

  • Using an RCE & Privilege Escalation an attacker needs to gain the root-level code execution on the Nagios XI server at the negotiated site of the customer.
  • To trigger an XSS, simply taint the data that has been returned to the Nagios Fusion.
  • To negotiate the Nagios Fusion server that is using an RCE and Priv. Esc. simply an attacker has to use the session that triggered the XSS.
  • To exploit the “fused” XI servers at the remaining customer sites, an attacker has to gain all the credentials.

PoC or Attack Platform

Once you are done with collecting all the vulnerability and exploits then you are fully ready to compromise this huge Nagios attack. 

However, for the Nagios Fusion/XI deployment the security analysts have stated some PoCs that help in compromising the huge attack. That’s why the researchers have built a full-fledged attack manifesto and named it as SoyGun to compromise this attack.

SoyGun 

SoyGun is a PHP-based post-exploitation tool that is quite flexible in nature and enables the threat actors to take complete control over Nagios Fusion deployment, with the credentials and HTTP access of Nagios XI user’s to the Nagios XI server.

While the SoyGun is filled with 4 key components, and here they are mentioned below:-

  • Command & Control (C2)
  • Implant
  • Payload
  • DeadDrop

Command & Control (C2)

This is the very first step for starting the SoyGun, as it consists of CLI and along with that it also has the Command & Control source for the exploited servers.

It is generally used to collect all the exploited Fusion and XI servers of Nagios so that every user can get to their explored deployment easily.  

SoyGun Implant

SoyGun Implant is another key component, that is used as a root on all the exploited servers of Nagios Fusion/XI. However, it is filled with complete data of the exploitation, and it also consists of a DeadDrop code.

While the SoyGun was developed due to limited connectivity between Fusion and XI servers only the essential network connections are allowed.

Full vulnerabilities list

  • CVE-2020-28903 – XSS in Nagios XI when the attacker has control over the fused server.
  • CVE-2020-28905 – Nagios Fusion authenticated remote code execution (from the context of the low-privileges user).
  • CVE-2020-28902 – Nagios Fusion privilege escalation from apache to Nagios via command injection on timezone parameter in cmd_subsys.php.
  • CVE-2020-28901 – Nagios Fusion privilege escalation from apache to Nagios via command injection on component_dir parameter in cmd_subsys.php.
  • CVE-2020-28904 – Nagios Fusion privilege escalation from apache to Nagios via the installation of the malicious component.
  • CVE-2020-28900 – Nagios Fusion and XI privilege escalation from nagios to root via upgrade_to_latest.sh.
  • CVE-2020-28907 – Nagios Fusion privilege escalation from apache to root via upgrade_to_latest.sh and modification of proxy config.
  • CVE-2020-28906 – Nagios Fusion and XI privilege escalation from nagios to root via modification of fusion-sys.cfg / xi-sys.cfg.
  • CVE-2020-28909 – Nagios Fusion privilege escalation from Nagios to root via modification of scripts that can execute as sudo.
  • CVE-2020-28908 – Nagios Fusion privilege escalation from apache to Nagios via command injection (caused by poor sanitization) in cmd_subsys.php.
  • CVE-2020-28911 – Nagios Fusion information disclosure – low privileges the user can discover passwords used to authenticate to fused servers.
  • CVE-2020-28648 – Nagios XI authenticated remote code execution (from the context of the low-privileges user).
  • CVE-2020-28910 – Nagios XI getprofile.sh privilege escalation.

These vulnerabilities could badly impact all the users of the targeted organizations since the attackers could exploit these critical vulnerabilities in the supply chain attacks.

That’s why cybersecurity analysts have affirmed that sophisticated attackers can easily discover and exploit these vulnerabilities in the architecture of Nagios, and can disrupt the IT network and internal systems of any targeted organization.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

Thinkware Cloud APK Vulnerability Allows Code Execution With Elevated Privileges

A critical vulnerability identified as CVE-2024–53614 has been discovered in the Thinkware Cloud APK...