If you’re running a big enough network, chances are you have a monitoring server tucked away somewhere, silently watching and waiting to let you know if something goes wrong. This same quiet IT warrior is also a juicy target for attackers because it both houses a large amount of data about your network and also serves as an ideal launching point from which to move laterally within the network.
Given the importance of such a target, one naturally would expect that the monitoring server would be housed internally within a network and inbound network access would be tightly controlled, but that doesn’t mean there’s no way in. Take Nagios as an example. Nagios’s primary user interface is a web application that is designed to execute administration tasks. As a result, there are many places where it handles commands that run with elevated privilege. This means is that there are many ways that a small issue can snowball into a big problem for a network, and the amount of flexibility and features means there’s a lot of room for things to go wrong.
During the course of research into Nagios, GRIMM researchers discovered a number of vulnerabilities that would enable attackers to gain Remote Code Execution (RCE) as root on the primary server, which provides great potential for later lateral movement. Granted that in most of the realistic scenarios, the network restrictions around what can even talk to the Nagios server means that attackers need a little bit of a start, either a too-trusting administrator or a compromised client, but once they get a toehold, it’s on like Donkey Kong.
