pixel_dreams - Fotolia
My company uses the open source tool Nagios Core to support technology governance. I just found out this tool has security vulnerabilities. What are they, and what should be done about them?
Nagios is a popular network monitoring tool. Now known as Nagios Core, it tracks the health of network services and the network infrastructure to make sure they are working properly. These network services include Simple Mail Transfer Protocol, Post Office Protocol 3 (POP3), HTTP, Network News Transfer Protocol, FTP and SSH.
In prior versions of Nagios Core 4.2.2, false alerts might have been sent to victims due to two vulnerabilities. Researcher Dawid Golunski of Legal Hackers found that an attacker could exploit these vulnerabilities to escalate privileges to root and to gain remote code execution.
Users with advanced and normal rights might not be able to use legitimate Nagios commands properly after receiving the alerts from the Nagios server. Users with read-only rights who are not allowed to use the commands might view the wrong hosts and services.
MagpieRSS, the star of the first vulnerability, displays news alerts sent from a Nagios RSS feed server. Lurking in the server is a command injection vulnerability (CVE-2016-9565) that might enable the attacker to read or write files by spoofing a response from the server.
Joining the stage as a supporting actor is the second vulnerability (CVE-2016-9566). Remote attackers with access to a Nagios account are able to gain root privileges by launching a symbolic link (symlink) attack on the log file. The symlink points to another file or folder transparent to the user. Leveraging MagpieRSS is not needed if the attackers are local.
If it's running earlier versions of Nagios, an organization should update to Nagios Core 4.2.4 or later for better support for technical governance. Nagios XI runs on Windows, Linux and VMware. An organization should use Nagios Log Server; Nagios Fusion, on centralized operational status; and Nagios Network Analyzer. Upgrading to a newer version is the only option for addressing these vulnerabilities, as older versions are still affected and have not been patched.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Find out how to manage and monitor the modern hybrid network
Discover the latest developments and trends in enterprise network monitoring and management
Understand the difference between Internet Message Access Protocol and POP3 in Exchange Server
Dig Deeper on Real-time network monitoring and forensics
Related Q&A from Judith Myerson
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading