pixel_dreams - Fotolia

How can enterprises address Nagios Core vulnerabilities?

Early versions of Nagios Core, the open source network monitoring tool, had privilege escalation vulnerabilities. Expert Judith Myerson explains the flaw and what to do about it.

My company uses the open source tool Nagios Core to support technology governance. I just found out this tool has security vulnerabilities. What are they, and what should be done about them?

Nagios is a popular network monitoring tool. Now known as Nagios Core, it tracks the health of network services and the network infrastructure to make sure they are working properly. These network services include Simple Mail Transfer Protocol, Post Office Protocol 3 (POP3), HTTP, Network News Transfer Protocol, FTP and SSH.

In prior versions of Nagios Core 4.2.2, false alerts might have been sent to victims due to two vulnerabilities. Researcher Dawid Golunski of Legal Hackers found that an attacker could exploit these vulnerabilities to escalate privileges to root and to gain remote code execution.

Users with advanced and normal rights might not be able to use legitimate Nagios commands properly after receiving the alerts from the Nagios server. Users with read-only rights who are not allowed to use the commands might view the wrong hosts and services.

MagpieRSS, the star of the first vulnerability, displays news alerts sent from a Nagios RSS feed server. Lurking in the server is a command injection vulnerability (CVE-2016-9565) that might enable the attacker to read or write files by spoofing a response from the server.

Joining the stage as a supporting actor is the second vulnerability (CVE-2016-9566). Remote attackers with access to a Nagios account are able to gain root privileges by launching a symbolic link (symlink) attack on the log file. The symlink points to another file or folder transparent to the user. Leveraging MagpieRSS is not needed if the attackers are local.

If it's running earlier versions of Nagios, an organization should update to Nagios Core 4.2.4 or later for better support for technical governance. Nagios XI runs on Windows, Linux and VMware. An organization should use Nagios Log Server; Nagios Fusion, on centralized operational status; and Nagios Network Analyzer. Upgrading to a newer version is the only option for addressing these vulnerabilities, as older versions are still affected and have not been patched.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Find out how to manage and monitor the modern hybrid network

Discover the latest developments and trends in enterprise network monitoring and management

Understand the difference between Internet Message Access Protocol and POP3 in Exchange Server

This was last published in July 2017

Dig Deeper on Threat detection and response