Medium-impact flaws combined to create ‘upstream attack platform’
UPDATED Security researchers have detailed how a series of moderate severity vulnerabilities in IT monitoring technology Nagios could be chained together to attack organizations on a grand scale.
Researchers at Australian security consultancy Skylight discovered a total of 13 security flaws in Nagios, a widely used open source IT monitoring tool comparable to SolarWinds.
The flaws in Nagios XI and Nagios Fusion servers were reported to the vendor, who addressed all 13 vulnerabilities last October.
Check your monitor
The Nagios vulnerabilities discovered by Skylight involve a cross-site scripting (XSS) flaw, a series of privilege escalation flaw, an information disclosure bug, and an authenticated remote code execution issue.
Skylight acknowledges the requirement for an attacker to be authenticated in a technical write-up that describes the flaws as a “few lame(ish) vulnerabilities in Nagios”.
However, dismissing the flaws as inconsequential would be a mistake because the researchers were able to chain together a selection of these vulnerabilities to attack the monitoring infrastructure of a telco or other service provider (providing they are able to first break into the Nagios-related systems of one of its users).
SolarWinds’ update mechanism was compromised to carry out a high-profile hack against US government agencies and others last year, so flaws in any similar technology, such as Nagios, merit increased scrutiny.
Skylight’s Adi Ashkenazy told The Daily Swig: “When chaining together five of the vulnerabilities, an attacker can [compromise] the entire monitoring infrastructure without any operator intervention.”
“In a telco setting, where a telco is monitoring thousands of sites, if a customer’s site is fully compromised, an attacker can use the vulnerabilities to compromise the telco, and then every other monitored customer site,” Ashkenazy added.
Skylight has developed a post-exploitation tool called SoyGun that chains the vulnerabilities and automates the process of breaking into vulnerable Nagios systems.
The tool was released to the penetration testing community as an open source project.
The Daily Swig is yet to receive a response to a request for comment from Nagios.
Skylight’s Ashkenazy told The Daily Swig that its research into Nagios offered wider lessons for other software developers
"This is a good example of the fallacy of 'low risk' security issues," Ashkenazy said. "If you have a collection of low to medium risk vulnerabilities, those may be chained together to create a critical impact. If you only looked at the security/patch notes from Nagios, you would have no idea that something like this is possible combining several of the vulnerabilities".The research further illustrated that "vetting and testing of third parties from a security perspective is completely broken", according to Ashkenazy.
Ashkenazy explained: "Nagios would pass any procurement and vendor test, and still the amount of effort required to identify and exploit these vulnerabilities was very low. It would be a complete no-brainer for sophisticated nation-state attackers who are targeting these type of software components."
We need to rethink how we test and the controls we put around 3rd party tools in our IT environments," Ashkenazy concluded.
This story was updated to add comment from Skylight’s Adi Ashkenazy