Attackers can chain a couple of serious flaws affecting Nagios Core to gain complete control of systems running vulnerable versions of the product, a researcher has warned.
Nagios Core is a free and open-source alerting and monitoring software for servers, networks and applications. Dawid Golunski of Legal Hackers discovered that the product has two vulnerabilities that can be used for remote code execution and privilege escalation.
The first vulnerability discovered by the expert, CVE-2016-9565, has been described as a remote code execution issue. Golunski noticed that the application’s web interface is affected by a flaw that can be exploited by a man-in-the-middle (MitM) attacker via the RSS feed feature.
According to the researcher, an attacker who can impersonate the RSS feed server – via DNS poisoning, domain hijacking or other techniques – can read and write arbitrary files on the vulnerable server and execute code in the context of a Nagios user.
Once this level of access has been obtained, an attacker can exploit a second weakness discovered by Golunski (CVE-2016-9566) to elevate privileges to root, which can result in the targeted system getting completely compromised.
This second vulnerability exists due to the way the Nagios Core daemon handles log files. An attacker who gains access to the system via CVE-2016-9566 can modify the log file and point it to a malicious file, which results in elevated privileges after a restart of Negios. The researcher pointed out that the attacker can force a restart by using the “SHUTDOWN_PROGRAM” command.
CVE-2016-9565 was initially patched in August with the release of Nagios Core 4.2.0, but the fix turned out to be incomplete. A proper patch was rolled out on October 24 with the release of version 4.2.2. CVE-2016-9566 was resolved earlier this month in Nagios Core 4.2.4. Proof-of-concept (PoC) exploits have been made available for both vulnerabilities.
This is not the first time Golunski has found vulnerabilities that can be chained for a high impact exploit. The expert recently disclosed several MySQL flaws that could have been leveraged to execute arbitrary code with elevated privileges.
Related Reading: Attackers Can Target Enterprises via GroupWise Collaboration Tool
Related Reading: Serious Vulnerabilities Found in McAfee Enterprise Product
Related Reading: Organizations Exposed to Attacks by Flaws in Kerio Firewalls
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- Microsoft: No-Interaction Outlook Zero Day Exploited Since Last April
- US to Adopt New Restrictions on Using Commercial Spyware
- Hackers Earn Over $1 Million at Pwn2Own Exploit Contest
- GoAnywhere Zero-Day Attack Hits Major Orgs
- Australia Dismantles BEC Group That Laundered $1.7 Million
- ‘Grim’ Criminal Abuse of ChatGPT is Coming, Europol Warns
- Webinar Tomorrow: Understanding Hidden Third-Party Identity Access Risks
- GitHub Rotates Publicly Exposed RSA SSH Private Key
