Nagios Core has been updated to take care of two critical vulnerabilities that can be pinned together to attack servers hosting the open source IT infrastructure monitoring software.
The flaws were privately disclosed by researcher Dawid Golunski of Legal Hackers, who said the vulnerabilities can be exploited to elevate privileges to root and gain remote code execution.
Users should upgrade to Nagios Core 4.2.4; previous versions are vulnerable.
Golunski said in an advisory that an attacker can gain a foothold on a Nagios Core server by taking advantage of a command injection vulnerability (CVE-2016-9565) in a front-end RSS feed reader class called MagpieRSS that displays news sent from Nagios. The component vulnerability was discovered in 2008, he said.
Golunski said the reader can load feeds in clear text over HTTP connections or over HTTPS because it accepts self-signed certificates.
“The vulnerability could potentially enable remote unauthenticated attackers who managed to impersonate the feed server (via DNS poisoning, domain hijacking, ARP spoofing etc.), to provide a malicious response that injects parameters to curl command used by the affected RSS client class and effectively read/write arbitrary files on the vulnerable Nagios server,” Golunski said. “This could lead to Remote Code Execution in the context of www-data/nagios user on default Nagios installs that follow the official setup guidelines.”
Golunski provides technical details and a proof-of-concept exploit in his advisory. He said an attacker can abuse a curl command used to handle HTTPS requests that is improperly sanitized and fails to prevent code injection. An attacker who manages to impersonate the Nagios domain would be in position to attack the server remotely.
“The vulnerability could potentially become an Internet threat and be used to exploit a large number of affected Nagios installations in case of a compromise of a DNS server/resolver belonging to a large-scale ISP,” Golunski said.
The second vulnerability, CVE-2016-9566, and affords an attacker root access if used in conjunction with CVE-2016-9565.
Golunski said the Nagios Core daemon performs unsafe operations when handling a log file; a local attacker could elevate privileges from system or group user to root.
“The exploit could enable the attackers to fully compromise the system on which a vulnerable Nagios version was installed,” Golunski said.
The problem, Golunski said in an advisory, is that the Nagios daemon opens the log file before dropping its root privileges on startup.
“If an attacker managed to gain access to an account of ‘nagios’ or any other account belonging to the ‘nagios’ group, they would be able to replace the log file with a symlink to an arbitrary file on the system,” Golunski said. “This vulnerability could be used by an attacker to escalate their privileges from nagios user/group to root for example by creating a malicious /etc/ld.so.preload file.” This affords an attacker access to the Nagios group and allows the attacker to read the log file.
“Attackers with access to ‘nagios’ group could however bypass the lack of write privilege by writing to Nagios external command pipe (nagios.cmd) which is writable by ‘nagios’ group by default,” Golunski said.
Access to the command pipe allows the attacker to bypass a lack of write permission to inject data to the log file, Golunski said, and escalate privileges to root.