Nagios software can be exploited by threat actors.

Details Disclosed On Critical Flaws Affecting Nagios IT Monitoring Software.

Table of Contents


Cybersecurity researchers discovered 13 vulnerabilities in the Nagios monitoring system that could be exploited by adversaries to gain control of the infrastructure without significant operator intervention.
Nagios IT software has many flaws that are affecting it.

Cybersecurity researchers revealed 13 vulnerabilities found in the Nagios network monitoring application that could be exploited by an adversary to take control of the infrastructure. “In a telco setting, where a telco is monitoring thousands of sites, if a customer site is fully compromised, an attacker can use the vulnerabilities to compromise the telco, and then every other monitored customer site,”

Adi Ashkenazy, CEO of Australian cybersecurity firm Skylight Cyber, told The Hacker News via email. An open-source IT infrastructure tool similar to SolarWinds Network Performance Monitor (NPM), Nagios offers monitoring and alerting services for servers, network cards, applications, and services. The issues are both remotely executed (RCE) and privilege escalation flaws, and they were discovered and reported to Nagios in October 2020, following which they were addressed by November.

Researcher say:

 Researchers used an improper input validation of Nagios XI’s Auto-Discovery component of CVE-2020-28648 as a jumping-off point to trigger an exploit chain that enables a cumulative attack against five clients. “Namely, if we, as attackers, compromise a customer site that is being monitored using a Nagios XI server, we can compromise the telecommunications company’s management server and every other customer that is being monitored,” the researchersin a write-up published last week.

The attacker uses CVE-2020-28648 and CVE-2020-28910 to leverage a Nagios XI server at the customer site to gain Remote Control Exploitation and elevated privileges. Once the server has been compromised, the adversary can then send tampered data to the upstream Nagios Fusion server that provides infrastructure-wide visibility by periodically polling the Nagios XI servers. “By tainting data returned from the XI server under our control we can trigger Crof36ss-Site Scripting [CVE-2020-28903] and execute JavaScript code in the context of a Fusion user,” Skylight Cyber researcher Samir Ghanem said.

This next phase of the attack leverages this ability to run custom JavaScript code on the Fusion server to obtain RCE (CVE-2020-28905) and elevated rights for the Fusion server, thus allowing access to go to other Fusion servers located in other customer sites.

SoyGun exploit tool:

The researchers also released a PHP-based exploit tool called SoyGun that takes advantage of the vulnerabilities and will allow an attacker with Nagios XI credentials or HTTP access to the Nagios Fusion server to take full control of the deployment.

With SolarWinds falling victim to a major supply chain attack last year, a malicious actor could use network monitoring tools like Nagios to stage intrusions into corporate networks, later explore the IT network, and become the entry point for more sophisticated threats.“The amount of effort that was required to find these vulnerabilities and exploit them is negligible in the context of sophisticated attackers, and specifically nation-states,” Ghanem said. “If we could do it as a quick side project, imagine how simple this is for people who dedicate their whole time to develop these types of exploits. 

Compound that with the number of libraries, tools and vendors that are present and can be leveraged in a modern network, and we have a major issue on our hands. 

Leave a Comment

Your email address will not be published.

schedule a meeting us, Leave your details and we'll talk soon.