New Nagios Software Vulnerabilities Could Allow Hackers Control IT Infrastructures

New Nagios Software Vulnerabilities Could Allow Hackers Control IT Infrastructures

There have been 11 security flaws discovered in Nagios network management systems, some of which may be chained together to allow for pre-authenticated RCE with the highest privileges, password theft, and phishing attacks.

According to Claroty, an industrial cybersecurity firm, the vulnerabilities in tools like Nagios make them an appealing target because of their “oversight of critical servers, devices, and other vital components in the business network.

The problems were resolved in August updates for Nagios XI 5.8.5 and above, Nagios XI Docker Wizard 1.13 or above, Nagios XI Switch Wizard 2.5.7 or above, and Nagios XI WatchGuard 1.4.8 or above.

A post published by Claroty on Tuesday summarizes how cyber-attacks on IT and network management supply chains were used to compromise thousands of more people farther down the line.

Nagios Core is a major open-source network health utility for monitoring IT infrastructure, similar to SolarWinds Network Performance Monitor (NPM). Nagios XI is a proprietary web-based platform built on top of Nagios Core that gives businesses a deeper look into their IT operations. It provides scalable monitoring and a configurable high-level overview of network devices, hosts, and services.

The significant vulnerabilities are:

  • Two RCE flaws (CVE-2021-37344, CVE-2021-37346) in Nagios XI Switch Wizard and Nagios XI WatchGuard Wizard
  • An SQL injection vulnerability (CVE-2021-37350) in Nagios XI
  • A server-side request forgery (SSRF) that affects Nagios XI Docker Wizard
  • A post-authenticated RCE in Nagios XI’s Auto-Discovery tool

Here is the complete list of 11 vulnerabilities:

  1. CVE-2021-37343 (CVSS score: 8.8)
  2. CVE-2021-37344 (CVSS score: 9.8)
  3. CVE-2021-37345 (CVSS score: 7.8)
  4. CVE-2021-37346 (CVSS score: 9.8)
  5. CVE-2021-37347 (CVSS score: 7.8)
  6. CVE-2021-37348 (CVSS score: 7.5)
  7. CVE-2021-37349 (CVSS score: 7.8)
  8. CVE-2021-37350 (CVSS score: 9.8)
  9. CVE-2021-37351 (CVSS score: 5.3)
  10. CVE-2021-37352 (CVSS score: 6.1)
  11. CVE-2021-37353 (CVSS score: 9.8)

In short, attackers may leverage these vulnerabilities to drop a web shell or execute PHP scripts while elevating their privileges to root, allowing them to run arbitrary commands in the root user’s context.

Claroty used CVE-2021-37343 and CVE-2021-37347 together as a proof-of-concept to acquire a write-what-where primitive, allowing an attacker to write text to any file on the system.

They may also be able to reach out beyond your network via the firewall to deal with distant servers and connections. As a result, these centralized systems can be a tempting target for attackers who want to access, modify, and disrupt other systems.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.