Black Arrow Cyber Threat Alert - Thursday 23 September 2021 - Nagios Management Software Vulnerabilities and VMWare vCenter Bug Allows for Remote Code Execution

1. Nagios Management Software Vulnerabilities Disclosed, Could be Chained to Perform Remote Code Execution

1.1 Executive Board Summary

What is Nagios?

Nagios is a market leading IT monitoring software, used by such prominent businesses as Air BnB and Paypal. Nagios provides a centralised platform to allow both businesses and IT support providers to keep tabs on systems and services remotely.

What’s the risk to my business?

Given the attractive nature of Nagios to an attacker – a central resource with connections to potentially everything in the network – it could be severe. If you or your managed IT provider use Nagios, attackers may be able to remotely conduct attacks without requiring authentication – effectively bypassing your security.

What can I do?

Contact your IT department or provider to determine whether your systems are monitored by Nagios. A patch has been issued that your technical teams can implement straight away. See our technical summary for more details.

1.2 Technical Summary for Network Defenders

11 new security vulnerabilities have been disclosed for the Nagios network management platform. Of note is the potential to “chain” these attacks together to perform Remote Code Execution (RCE), theoretically allowing for pre-authenticated access and privilege escalation at the highest level.

Who is affected?

Anyone using Nagios XI, Nagios XI Switch Wizard, Nagios XI Docker Wizard or Nagios XI Watchguard.

What can I do?

These issues have been designated and fixed in Nagios XI 5.8.5 and above, Nagios XI Switch Wizard 2.5.7 or above, Nagios XI Docker Wizard 1.13 or above, and Nagios XI Watchguard 1.4.8 or above.

IT teams are advised to perform the necessary patches as soon as is practicable.

What’s the risk?

Consumers may be aware of the harm caused during the Solarwinds and Kaseya round of vulnerabilities, with the latter causing major disruption as a potential supply chain attack.

Solutions such as Nagios and Kaseya, while they undoubtedly provide IT teams with an efficient and broad toolset to support their network stack, offer attackers near unprecedented access if successfully breached. Given the wide scope network integration these toolkits the risk remains high for vulnerabilities in this software sector.

2. Black Arrow Threat Alert: Critical VMWare vCenter Bug Allows for Remote Code Execution by Anyone on the Network

VMWare – a server hosting platform widely used in the Island by businesses and IT providers alike – have disclosed a bug in their vCenter management service dubbed as requiring attention “right now”.

2.2 Executive Board Summary

What is VMWare vCenter?

vCenter is a major component of the VMWare virtualisation ecosystem, used in managing virtual machines and servers. Nearly all businesses of reasonable size will utilise virtualisation to some extent – the act of running multiple servers on a single physical box. If you use a computer on a business network, you’ve probably got VMWare.

What’s the risk to my business?

If you are one of the many local firms using VMWare, high. VMWare have designated this bug as critical, as it allows for malicious files to be uploaded remotely – the most dangerous type of vulnerability. Attackers could craft these files to gain access to sensitive data, or as a springboard for another type of attack like ransomware.

What can I do?

Contact your IT department or IT provider to determine whether your systems are vulnerable. A patch has already been issued, so all up-to-date services will be protected. See our technical summary for more details.

2.3 Technical Summary For Network Defenders

A new vulnerability has been discovered in vCenter server. The bug allows for anyone with network access to vCenter via port 443 – locally or via remote connection – to arbitrarily abuse the file upload service to insert malicious content. The bug falls under the “Remote Code Execution” category for vulnerabilities and is deemed highly critical as such.

What versions are affected?

VMWare advise that the bug impacts all current releases of vCenter Server – 6.5, 6.7 and 7.0.

What can I do?

Perform an initial check to determine if you are running on an affected version of vCenter Server. VMWare notes that organisations that have recently updated to version 7.0 Update 2c may not be impacted – though it is still recommended to run patches.

VMWare recommend immediate patching on any affected systems, where at all possible. A workaround has also been released, involving modification to a text file on the affected server and restarting services, though it should be noted this is only a temporary fix.

What’s the risk?

Industry resources report that threat actors have already begun scanning for this vulnerability since its release. In equal measure, the vulnerability allows for anyone with local network access to the affected server – i.e. staff member or third party contractor – to carry out the attack.

Given the severity and potential benefit to attackers, activity is expected to increase over the following weeks.