There have been 11 security flaws discovered in Nagios network management systems, some of which may be chained together to allow for pre-authenticated RCE with the highest privileges, password theft, and phishing attacks.
According to Claroty, an industrial cybersecurity firm, the vulnerabilities in tools like Nagios make them an appealing target because of their “oversight of critical servers, devices, and other vital components in the business network.
The problems were resolved in August updates for Nagios XI 5.8.5 and above, Nagios XI Docker Wizard 1.13 or above, Nagios XI Switch Wizard 2.5.7 or above, and Nagios XI WatchGuard 1.4.8 or above.
A post published by Claroty on Tuesday summarizes how cyber-attacks on IT and network management supply chains were used to compromise thousands of more people farther down the line.
Nagios Core is a major open-source network health utility for monitoring IT infrastructure, similar to SolarWinds Network Performance Monitor (NPM). Nagios XI is a proprietary web-based platform built on top of Nagios Core that gives businesses a deeper look into their IT operations. It provides scalable monitoring and a configurable high-level overview of network devices, hosts, and services.
The significant vulnerabilities are:
- Two RCE flaws (CVE-2021-37344, CVE-2021-37346) in Nagios XI Switch Wizard and Nagios XI WatchGuard Wizard
- An SQL injection vulnerability (CVE-2021-37350) in Nagios XI
- A server-side request forgery (SSRF) that affects Nagios XI Docker Wizard
- A post-authenticated RCE in Nagios XI’s Auto-Discovery tool
Here is the complete list of 11 vulnerabilities:
- CVE-2021-37343 (CVSS score: 8.8)
- CVE-2021-37344 (CVSS score: 9.8)
- CVE-2021-37345 (CVSS score: 7.8)
- CVE-2021-37346 (CVSS score: 9.8)
- CVE-2021-37347 (CVSS score: 7.8)
- CVE-2021-37348 (CVSS score: 7.5)
- CVE-2021-37349 (CVSS score: 7.8)
- CVE-2021-37350 (CVSS score: 9.8)
- CVE-2021-37351 (CVSS score: 5.3)
- CVE-2021-37352 (CVSS score: 6.1)
- CVE-2021-37353 (CVSS score: 9.8)
In short, attackers may leverage these vulnerabilities to drop a web shell or execute PHP scripts while elevating their privileges to root, allowing them to run arbitrary commands in the root user’s context.
Claroty used CVE-2021-37343 and CVE-2021-37347 together as a proof-of-concept to acquire a write-what-where primitive, allowing an attacker to write text to any file on the system.
They may also be able to reach out beyond your network via the firewall to deal with distant servers and connections. As a result, these centralized systems can be a tempting target for attackers who want to access, modify, and disrupt other systems.