Researchers on Tuesday reported that after doing research into open source monitoring software Nagios they discovered a number of vulnerabilities that could let attackers conduct remote code execution on Nagios management servers — creating the potential for lateral movement.
In a blog post, GRIMM researchers advised security teams that use Nagios to restrict the use of external commands by monitored endpoints to just the commands required for the desired functionality. The researchers said beyond these proactive measures, network admins should familiarize themselves with potential avenues of attack against their network as well as the signs and characteristics of such attacks.
The vulnerabilities were discovered in Nagios XI and Core as part of GRIMM’s private vulnerability disclosure program, said Ian Bridges, director of vulnerability research at GRIMM. Bridges confirmed that the only organizations susceptible to these vulnerabilities are those that use the affected software.
“This particular software is used for infrastructure monitoring,” Bridges said. “Thus, I suspect that most Nagios instances are deployed in environments in which organizations maintain their own infrastructure. That being said, Nagios does support monitoring cloud compute instances as well, so there are likely at least some cloud environments that may be susceptible to these vulnerabilities.”
GRIMM's lengthy article describes numerous vulnerabilities and attack vectors against Nagios XI and Core that outline a multi-step attack chain that can fully compromise a Nagios server, thus allowing a threat actor to easily pivot and move to other internal systems, explained John Hammond, a senior security researcher at Huntress. Hammond said these vulnerabilities sprawl across the board: from plentiful cross-site scripting, server-side request forgery, command injection, privilege escalation and just plain weak access controls.
“The user-friendly web interface presented by Nagios software may often be accessible considering the industry is moving more and more to cloud operations and remote endpoint management,” Hammond said. ”This slew of vulnerabilities makes for a tremendously large attack surface wherever Nagios is in place.”
Bud Broomhead, chief executive officer at Viakoo, added that GRIMM’s Nagios research serves as another example of how cyber criminals are focused on exploiting vulnerabilities to control endpoints and IoT devices — the fastest growing attack surface today.
“Limiting the damage by restricting network access is a Band-Aid, at best,” Broomhead said. “Manually defining what network traffic is permissible takes ongoing human resources, and will still not guarantee that the vulnerability will not be exploited. Remediating IoT device vulnerabilities should be the focus, rather than working around them.”
Oliver Tavakoli, chief technology officer at Vectra, said while research on any complex piece of software will likely turn up vulnerabilities and matching exploits, the lesson here is that any privileged management system, be it SolarWinds, Kaseya or Nagios, has become a valuable target for attackers.
“These servers need to be constrained by policy where possible and watched for anomalous behavior where that’s not practical,” Tavakoli said.