GRIMM, a cybersecurity organisation led by industry experts, announced they performed dedicated vulnerability research into Nagios and discovered a number of vulnerabilities that would enable attackers to gain Remote Code Execution (RCE) as root on Nagios management servers, which provides great potential for later lateral movement. This research stems from GRIMM’s Private Vulnerability Disclosure (PVD) Program where research targets are selected based on extensive threat modeling and our team’s deep background in reverse engineering and vulnerability research.
“Just sticking to the core functionality and plugins written and distributed by Nagios still leaves us a large attack surface, a ton of features, and a lot of legacy code due to the steady accretion of features that is natural in software that is over a decade old. The result is a complex system that has clearly been developed with flexibility and extensibility in mind, but this leads to a myriad of different attacks that need to be defended against,” said Adam Nichols, Principal of Software Security, GRIMM.
“The primary impact of these vulnerabilities is that attackers gain root access to one of the most useful sources of information and best launching points for lateral movement (an endpoint management server) but they could also easily gain additional access depending on configuration and how the Nagios instance is used.”
To mitigate the risk of similar vulnerabilities, GRIMM recommends that organisations that use Nagios restrict the use of external commands by monitored endpoints to just those commands required for the desired functionality. Beyond these proactive measures, network administrators and defenders should be familiarised with potential avenues of attack against their network as well as the signs and characteristics of such attacks.
This vulnerability is significant because the Nagios instance is a very attractive target both because of the information it contains and its role in network activity. The software contains both historical and constantly-updated information on network configuration and services on the network, which is useful to attackers in mapping out how to reach the systems that they are most interested in. In addition, once attackers gain root access, they have the ability to manipulate any of the data that is being displayed to administrators or security personnel, which could enable them to further conceal their activity. Finally, because Nagios routinely performs service checks and other administration tasks, moving laterally to other servers or even to endpoints will likely be considered normal and not raise suspicion.
The security research is done entirely by GRIMM’s internal PVD team. The GRIMM PVD team has decades of experience in the most sensitive environments. Because GRIMM has a strong commitment to partnership, the PVD program welcomes requests to look into specific software or hardware. GRIMM is able to offer this service to a limited, trusted clientele to ensure that the program is used appropriately while the team works with the vendors for patches.
Rebecca Morpeth Spayne,
Editor, Security Portfolio
Tel: +44 (0) 1622 823 920