Nagios IT monitoring vulnerabilities chained to compromise telco customers en masse

Medium-impact flaws combined to create ‘upstream attack platform’

Security researchers have detailed how a series of moderate severity vulnerabilities in IT monitoring technology Nagios could be chained together to attack organizations on a grand scale.

Researchers at Australian security consultancy Skylight discovered a total of 13 security flaws in Nagios, a widely used open source IT monitoring tool comparable to SolarWinds.

The flaws in Nagios XI and Nagios Fusion servers were reported to the vendor, who addressed the vulnerabilities last October.

Check your monitor

The Nagios vulnerabilities discovered by Skylight involve a cross-site scripting (XSS) flaw, a series of privilege escalation flaw, an information disclosure bug, and an authenticated remote code execution issue.

Skylight acknowledges the requirement for an attacker to be authenticated in a technical write-up that describes the flaws as a “few lame(ish) vulnerabilities in Nagios”.

RECOMMENDED Open source ecosystem ripe for dependency confusion attacks, research finds

However, dismissing the flaws as inconsequential would be a mistake because the researchers were able to chain together a selection of these vulnerabilities to attack the monitoring infrastructure of a telco or other service provider (providing they are able to first break into the Nagios-related systems of one of its users).

Chain gang

SolarWinds’ update mechanism was compromised to carry out a high-profile hack against US government agencies and others last year, so flaws in any similar technology, such as Nagios, merit increased scrutiny.

Skylight’s Adi Ashkenazy told The Daily Swig: “When chaining together five of the vulnerabilities, an attacker can [compromise] the entire monitoring infrastructure without any operator intervention.”

“In a telco setting, where a telco is monitoring thousands of sites, if a customer’s site is fully compromised, an attacker can use the vulnerabilities to compromise the telco, and then every other monitored customer site,” Ashkenazy added.

Catch up on the latest security research news

Skylight has developed a post-exploitation tool called SoyGun that chains the vulnerabilities and automates the process of breaking into vulnerable Nagios systems.

The tool was released to the penetration testing community as an open source project.

The Daily Swig is yet to receive a response to a request for comment from Nagios and on follow-up questions to Skylight on these now-patched bugs. We’ll update this story as and when more information comes to hand.

READ MORE Critical vulnerabilities patched in QNAP Music Station, Malware Remover apps