The key to finding and fixing software vulnerabilities? Cooperation
Humans aren’t perfect. And since humans write software code, it’s not perfect either. That means, given that software is “eating the world,” there is an endless cat-and-mouse game that pits the cyber criminals who are trying to exploit vulnerabilities in software against those trying to keep it secure from attacks.
For software defenders, the best way to minimize the imperfections in applications, networks, and systems is to build security in to the software that powers them while it’s being developed.
But once the software is in use, the goal is to find and fix the inevitable remaining imperfections before criminals find and exploit them. And while headlines may imply that defenders rarely succeed, many times they do — especially when ethical researchers join forces with the companies that build and use software. That cooperation was on display recently when researchers with the Synopsys Cybersecurity Research Center (CyRC) announced a successful “find-and-fix” operation with open source infrastructure monitoring company Nagios.
CyRC researchers notified the firm — privately — in May about three vulnerabilities in Nagios XI, a web application that monitors mission-critical enterprise infrastructure components including applications, services, operating systems, network protocols, systems metrics, and network infrastructure.
Scott Tolley, security engineer with CyRC, said Nagios issued patches on July 15, June 10 and Sept. 2, and was “very responsive” to the notifications. “They gave us good supplementary information to help me validate the fixes that they put in place. That’s an important part of the process,” he said.
What drew him to Nagios? He said he heard about the company on a Hacker Public Radio tech podcast “and it got me thinking, because network monitoring/management software is obviously so privileged that it’s an attractive target for attackers.”
Indeed, if attackers can get control of monitoring software, it could give them “keys” to just about anywhere on the network. “Almost by definition it has wide access to networks and endpoints,” Tolley said.
Also, he was interested in testing the capabilities of the latest version of Seeker®, a Synopsys automated interactive application security testing tool designed to keep up with the exponential increase in the speed of software development for container-based applications. He said both CyRC and companies like Nagios benefited.
A win-win
“Doing this kind of research is a win-win,” he said, “because it helps us see how effective the tool is. And then, of course, the vendor gets to fix the issues in their software prior to publication (of the vulnerabilities).”
All three of the defects were so-called “post-authentication,” meaning a hacker would have to get into the network — perhaps by tricking an unwary employee with a phishing attack — to exploit them. The defects were assigned numbers by the MITRE Corporation’s CVE Program, which identifies, defines and catalogs publicly disclosed cybersecurity vulnerabilities.
They included SQL injection (CVE-2021–33177), a path traversal vulnerability in the NagVis reporting system (CVE-2021–33178), and a cross-site scripting error in core configuration manager (CVE-2021–33179).
All three were ranked moderate to low in severity by the Common Vulnerability Scoring System (CVSS), which might seem a bit strange given the privileges an attacker could abuse from exploiting them. But Tolley said that’s because the rankings focus more on the technical level, and these “by themselves are not zero-interaction own-the-box vulnerabilities, which is the kind of thing you’re aiming for with high-impact findings.”
He called the rankings “an interesting, borderline-philosophical question.” He said he agreed with the CVSS because attackers would have had to get authenticated before they could do any damage.
“But you definitely want to fix all of these vulnerabilities because the system is so high-value,” he said.
“I guess the right way to think about this is that CVSS issues technical ratings of the vulnerabilities, but you have to evaluate the actual impact in the context of your own environment. The true impact depends on where you are deploying Nagios. If it’s monitoring a network in a nuclear power plant, then you might have a lower tolerance for, well, anything.”
Nothing is ever perfect
Any successful find-and-fix should come with a major caveat: This does not mean the software is now perfect. Indeed, Nagios XI has had to fix dozens of vulnerabilities, which means there will certainly be more found in the future.
According to its website, version 5.8 of Nagios XI has 23 identified vulnerabilities. This past April, Port Swigger reported that “miscreants are exploiting a newly discovered vulnerability” in an earlier version (5.7.5) of Nagios XI to run crypto-mining malware.”
And Skylight Cyber reported in May that its researchers had taken only a day to identify 13 vulnerabilities in Nagios XI and Nagios Fusion servers, including “five vulnerabilities that we chain together to take control of a complete Nagios deployment.”
That doesn’t mean Nagios software is better or worse than any other organization’s. It is more transparent, though, since the majority of its code is open source, and accessible to anyone for free.
Tolley also notes that Nagios XI is “feature-rich software that has been around for a long time with lots of functionality, plugins, and customers. And where you have a lot of software you will have bugs, and some of those are going to be security vulnerabilities.”
The major point, he said, is that this is an example of how ethical researchers and organizations building and/or using software can work together to make it more secure. It’s how “responsible disclosure” is supposed to work.
“You can really go one of two ways,” he said. Keep your software as close to your chest as possible and stop researchers evaluating it or keep it open. The core of Nagios is open source, and you can download trial versions of Nagios XI which is what I did. Then work with researchers to disclose and fix the inevitable security issues as quickly as possible.”
“Nagios seem to be closer to the latter as far as I can tell. It’s definitely the right behavior for the good of the world’s consumers of software, which is all of us, and it should be encouraged,” he said.
