The issues are fixed in updates released in August.
New security vulnerabilities were disclosed in Nagios network management systems, some of which could be linked to achieve pre-authenticated remote code execution with the highest privileges, as well as lead to credential theft and phishing attacks.
As many as 11 flaws were discovered by the industrial cybersecurity firm Claroty. They stated that the flaws in tools such as Nagios make them an attractive target due to their oversight of core servers, devices, and other critical components in the enterprise network.
The issues are fixed in updates released in August with Nagios XI 5.8.5 or above, Nagios XI Switch Wizard 2.5.7 or above, Nagios XI Docker Wizard 1.13 or above, and Nagios XI WatchGuard 1.4.8 or above.
Claroty’s Noam Moshe stated that SolarWinds and Kaseya were likely targeted not only because of their large and influential customer bases, but also because of their respective technologies’ access to enterprise networks, whether it was managing IT, operational technology (OT), or internet of things (IoT) devices.
Nagios Core is a popular open-source network health tool analogous to SolarWinds Network Performance Monitor (NPM) which is used for keeping tabs on IT infrastructure for performance issues and sending alerts following the failure of mission-critical components.
Nagios XI, a proprietary web-based platform built atop Nagios Core, provides organizations with extended insight into their IT operations with scalable monitoring and a customizable high-level overview of hosts, services, and network devices.
Among the vulnerabilities there are two remote code execution flaws (CVE-2021-37344, CVE-2021-37346) in Nagios XI Switch Wizard and Nagios XI WatchGuard Wizard, an SQL injection vulnerability (CVE-2021-37350) in Nagios XI, a server-side request forgery (SSRF) affecting Nagios XI Docker Wizard, and also a post-authenticated RCE in Nagios XI’s Auto-Discovery tool.
The flaws could be combined by attackers to drop a web shell or execute PHP scripts and elevate their privileges to root, thus achieving arbitrary command execution in the context of the root user.
As a proof-of-concept, the CVE-2021-37343 and CVE-2021-37347 were chained to gain a write-what-where primitive, allowing an attacker to write content to any file in the system.
Network management systems require extensive trust and access to network components in order to properly monitor network behaviors and performance for failures and poor efficiency. These centralized systems can be a tasty target for attackers who can leverage this type of network hub, and attempt to compromise it in order to access, manipulate, and disrupt other systems.