Home / About / Threat Intelligence / Remote Command Execution (RCE) Vulnerability in Nagios

Overview

Vulnerabilities have been reported and patched in Nagios XI, the proprietary version of the Nagios network monitoring tool.

Four of these (CVE-2021-37344, CVE-2021-37346, CVE-2021-37350, CVE-2021-37353) can lead to Remote Code Execution (RCE) with a CVSS score of 9.8/10.

Impact

By combining these exploits together, an authenticated attacker could be able to execute code with root privileges. A local user can use the service to escalate to root privileges on the server.

Impact

By combining these exploits together, an authenticated attacker could be able to execute code with root privileges, retrieve network credentials and run code on monitored endpoints.

Vulnerability Detection

Check the version of Nagios in use.

Qualys has detection for CVE-2021-38156 which was patched in 5.8.6
Nessus does not have a detection plugin at this time.

Affected Products

  • Nagios XI < 5.8.5

Containment, Mitigations & Remediations

Nagios have released an update which should be applied as soon as possible. Generally, it’s not a good idea to expose services like these to the wider internet. Access to network monitoring tools should be closely guarded.

Indicators of Compromise

None sighted.

Threat Landscape

A search on Shodan turns up less than 200 exposed servers.

After the recent attacks on Kaseya customers, researchers have turned their attention to IT management tools. Due to their visibility and level of trust, these make excellent targets for an attacker looking to take over a network.

Expect to see more vulnerabilities found in this type of software soon.

Mitre Methodologies

T1068 – Exploitation for Privilege Escalation
T1190 – Exploit Public-Facing Application
T1555 – Credentials from Password Stores
T1566.002 – Spearphishing Link

Further Information

Securing Network Management Systems: Nagios Xi

Nagios Security Disclosures

Nagios XI Stored Cross-Site Scripting (XSS