Lead Machine Pink 160x1200

Lead Machine green 160x1200

Lead Machine Pink 160x1200

Lead Machine green 160x1200

Thursday, 23 September 2021 12:19

Claroty discloses 11 vulnerabilities in Nagios

By Claroty

GUEST RESEARCH: The SolarWinds and Kaseya attacks were devastating intrusions at the heart of IT and network management supply chains. In each case, alleged state actors were able to infiltrate the mechanisms used by the vendors to ship software updates to customers, and infect those updates with malware, including ransomware, according to industrial security company Claroty.

Tens of thousands of customers installed compromised updates, and the trust both vendors built with customers was damaged.

SolarWinds and Kaseya were likely targeted not only because of their large and influential customer bases, but also because of their respective technologies’ access to enterprise networks, whether it was managing IT, operational technology (OT), or internet of things (IoT) devices.

Given that these systems are used to monitor servers, they often contain many network secrets such as credentials or API tokens that would be attractive to attackers.

Claroty’s Team82 researchers addressed the ongoing threat to network management systems and mapped popular monitoring software in various IT, IoT, and OT networks, Nagios, or Nagios Core to be more specific.

Claroty says Nagios Core is an open-source tool for monitoring IT infrastructure for performance issues, event scheduling and processing, alerting, and more functionality related to network health.

Nagios XI is a proprietary web-based platform using Nagios Core. XI expands Core’s capabilities by adding additional features to enhance IT operations. Network operations centre staff and system administrators use the platform to view the current state of managed servers and workstations.

Nagios says that thousands of organisations worldwide use its software to monitor networks: Comcast, Shell, DHL, L’Oreal, Texas Instruments, Toshiba, and dozens of other companies are listed on its website as users.

However, Team82’s research discovered 11 exploitable vulnerabilities in Nagios XI that can lead to remote code execution with the same privileges as an Apache user (Nagios XI commonly runs on an Apache web server), credential theft, phishing attacks, local privilege escalation to user permissions, and local privilege escalation to root. By chaining some of these vulnerabilities, an attacker can achieve post-authentication remote code execution with high privileges (root).

CVE-2021-37353: Nagios XI Docker Wizard before version 1.1.3 is vulnerable to server-side request forgery (SSRF) due to improper sanitisation in table population.php

CVE-2021-37352: An open redirect vulnerability exists in Nagios XI before version 5.8.5 that could lead to spoofing. To exploit the vulnerability, an attacker could send a link that has a specially crafted URL, and convince the user to click the link.

CVE-2021-37351: Nagios XI before version 5.8.5 is vulnerable to insecure permissions and allows unauthenticated users to access guarded pages through a crafted HTTP request to the server.

CVE-2021-37350: Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in the Bulk Modifications Tool due to improper input sanitisation.

CVE-2021-37349: Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because cleaner.php does not sanitise input read from the database.

CVE-2021-37348: Nagios XI before version 5.8.5 is vulnerable to local file inclusion through improper limitation of a pathname in index.php.

CVE-2021-37347: Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because getprofile.sh does not validate the directory name it receives as an argument.

CVE-2021-37346: Nagios XI WatchGuard Wizard before version 1.4.8 is vulnerable to remote code execution through Improper neutralisation of special elements used in an OS command (OS Command injection).

CVE-2021-37345: Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because xi-sys.cfg is being imported from the /var directory for some scripts with elevated permissions.

CVE-2021-37344: Nagios XI Switch Wizard before version 2.5.7 is vulnerable to remote code execution through improper neutralization of special elements used in an OS command (OS Command injection).

CVE-2021-37343: A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post-authenticated RCE under the security context of the user running Nagios.

In August, Nagios addressed the vulnerabilities privately disclosed by Team82 through updates to Nagios XI, Nagios XI Docker Wizard, Nagios XI WatchGuard Wizard, and Nagios XI Switch Wizard. Users are urged to immediately update all affected systems, and follow some basic rules about keeping network management systems secure.

Trust: These systems require extensive trust and access to network components in order to properly monitor network behaviours and performance. They may also extend outside your network through the firewall to attend to remote servers and connections. Therefore, these centralised systems can be a tasty target for attackers who can leverage this type of network hub, and attempt to compromise it in order to access, manipulate, and disrupt other systems.

Monitor: Access to the network management system should be closely monitored and limited to privileged insiders. All connections and activity should be monitored and alerted upon.

This report is the first in a series of research into the security of network management systems where Team82 examines what it means for OT, IT, and IoT domains.

Subscribe to ITWIRE UPDATE Newsletter here


It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News