Nagios patched three vulnerabilities in Nagios Xi, a popular front end to the free network and systems monitoring Nagios Core
According to Nagios' website, Xi customers include Verizon and the Amman (Jordan) Stock Exchange.
The vulnerabilities, discovered by Synopsys Cybersecrutity Research Center (CyRC), are each post-authentication issues in the web application — a SQL injection (CVE-2021-33177), a path traversal vulnerability in the NagVi reporting system (33178) and a cross-site scripting error in core config manager (33179).
Scott Tolley, the security engineer at Synopsys who did the research, said the idea to investigate Nagios Xi came to him when it was mentioned on the Hacker Public Radio podcast. The positioning of the software on networks and a spate of recent attacks on IT management products like Kaseya and SolarWinds piqued his interest.
"There's quite a lot of activity in [IT management software] right now," said Tolley. "And it makes sense. By definition, the software is going to have a privileged role on the network so if you get into it or anywhere near it's a great way to pivot for any attacker to go on to the rest of the system."
Synopsys only tested the web application for vulnerabilities.
The path traversal vulnerability affects versions prior to 5.8.4, SQL the XSS issue affects versions before 5.8.5 and the path traversal bug affects versions prior to the current distribution with the NagVi app installed.
Mitigation, according to Synopsys, is to upgrade Xi and NagVi.
Tolley expects to see more attacks and efforts to harden network management software in the future.
"It's an interesting, juicy target for attackers and, of course, for security researchers as well," he said.