Security Experts:

Flaws in Nagios Network Management Product Can Pose Risk to Many Companies

Researchers have discovered nearly a dozen vulnerabilities in widely used network management products from Nagios. The flaws could pose a serious risk to organizations as these types of products can be a tempting target for malicious actors.

The vulnerabilities were discovered by researchers at industrial cybersecurity firm Claroty as part of a research project focusing on the use of network management systems in IT, OT and IoT networks.

The security holes have been found to impact Nagios XI, XI Switch Wizard, XI Docker Wizard, and XI WatchGuard. The vendor released patches for each of the impacted products in August.

Nagios Core is an open source tool designed for monitoring IT infrastructure, and Nagios XI is a commercial version that expands the Core version’s capabilities. The vendor says its software is used by thousands of organizations worldwide, including some major brands such as Verizon and IBM.

An analysis of the product conducted by Claroty led to the discovery of 11 vulnerabilities that can be exploited for server-side request forgery (SSRF), spoofing, accessing information, local privilege escalation, and remote code execution.

Claroty has created a proof-of-concept (PoC) exploit showing how an authenticated attacker could chain some of the vulnerabilities to execute shell commands with root privileges.

While exploitation in many cases requires authentication, the cybersecurity firm noted that Nagios has an auto-login feature that can be used by administrators to set up read-only accounts that any user can connect to without credentials.

“While this feature might be useful for NOC [network operations center] purposes, allowing users to easily connect to the platform and view information without the need for credentials also allows attackers to gain access to a user account in the platform, thus rendering any post-auth vulnerability exploitable without authentication,” Claroty warned.

The company pointed to the incidents impacting SolarWinds and Kaseya to highlight the risks posed by the use of third-party IT management products.

Related: Vulnerability Found in Industrial Remote Access Product From Claroty

Related: Industrial Firms Warned of Risk Posed by Cloud-Based ICS Management Systems

Related: Several Vulnerabilities Patched in 'MDT AutoSave' Industrial Automation Product

Related: Vulnerability Allows Remote DoS Attacks Against Apps Using Linphone SIP Stack

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.