The most dangerous issue (CVE-2020-28648) scored 8.8 on the CVSS scale and is associated with incorrect input validation in the Auto-Discovery Nagios XI component, which the researchers used as a starting point to launch a chain of exploits of five vulnerabilities.
"If an attacker compromises a client's site, which is monitored by the Nagios XI server, he can also compromise the telecom company's management server and all other clients," the experts explained.
The attack scenario involves hacking the Nagios XI server at the client's site using vulnerabilities CVE-2020-28648 and CVE-2020-28910 to gain remote access and elevate privileges to the superuser level. Once the server is compromised, the attacker can send infected data to the Nagios Fusion control server, which monitors the entire infrastructure by periodically polling the Nagios XI servers.
"The infected data returned from the XI server allows cross-site scripting (CVE-2020-28903) and JavaScript code to be executed in the context of the user Fusion," the experts noted.
The researchers also published a PHP-based post-exploitation tool SoyGun that ties the vulnerabilities together and "allows an attacker with Nagios XI user credentials and HTTP access to the Nagios XI server to have full control over the launch of Nagios Fusion."
Experts reported their findings to Nagios in October 2020. In November 2020, the company released fixes to fix the issues.