Get in Touch
Remote Command Execution (RCE) Vulnerability in Nagios
Vulnerabilities have been reported and patched in Nagios XI, the proprietary version of the Nagios network monitoring tool.
Four of these (CVE-2021-37344, CVE-2021-37346, CVE-2021-37350, CVE-2021-37353) can lead to Remote Code Execution (RCE) with a CVSS score of 9.8/10.
By combining these exploits together, an authenticated attacker could be able to execute code with root privileges. A local user can use the service to escalate to root privileges on the server.
By combining these exploits together, an authenticated attacker could be able to execute code with root privileges, retrieve network credentials and run code on monitored endpoints.
Check the version of Nagios in use.
Qualys has detection for CVE-2021-38156 which was patched in 5.8.6
Nessus does not have a detection plugin at this time.
- Nagios XI < 5.8.5
Containment, Mitigations & Remediations
Nagios have released an update which should be applied as soon as possible. Generally, it’s not a good idea to expose services like these to the wider internet. Access to network monitoring tools should be closely guarded.
Indicators of Compromise
A search on Shodan turns up less than 200 exposed servers.
After the recent attacks on Kaseya customers, researchers have turned their attention to IT management tools. Due to their visibility and level of trust, these make excellent targets for an attacker looking to take over a network.
Expect to see more vulnerabilities found in this type of software soon.
– T1068 – Exploitation for Privilege Escalation
– T1190 – Exploit Public-Facing Application
– T1555 – Credentials from Password Stores
– T1566.002 – Spearphishing Link
Securing Network Management Systems: Nagios Xi