Monitoring Solutions: Attacking IT Infrastructure at its Core
IT infrastructure is the keystone of our modern digital world and has increasingly become more complex. Ensuring the availability of this infrastructure is a crucial goal for every company and organization. In environments where the amount of IT devices makes it infeasible to monitor each device individually, a monitoring solution is required. Due to its purpose, a monitoring solution is usually deployed at a central position in the network and has connectivity to all monitored devices. This makes it a high-profile target for threat actors, as they could easily spread on the organization’s internal network.
In this talk, we have a look at monitoring solutions from an attacker’s point of view. We present the basic architecture of modern monitoring solutions and talk about the derived attack surface. Based on this, we outline how important the choice of attack vector is and describe the approach we used to find critical vulnerabilities in popular monitoring solutions like Cacti, OpenNMS, Checkmk, and Netdata. We deep-dive into these findings and explain how they were found, how they can be exploited, and what we can learn from them.
The talk will be outlined as follows:
- Presentation of speaker
- What is a monitoring solution?
- Why do attackers target monitoring solutions?
Previous related work
- Monitoring Solutions
- Purpose and functionality of a monitoring solution
- Basic architecture
- Attack surface
Choosing an attack vector
- Discovered Vulnerabilities and Exploitation
- Cacti, Unauthenticated RCE:
- Authorization Bypass
- Command injection
- OpenNMS, From XSS to RCE:
- Unauthenticated, Stored XSS
- Authenticated Command Injection
- Checkmk, Unauthenticated RCE by chaining 4 vulnerabilities:
- Server-Side Request Forgery
- Line Feed Injection
- Arbitrary File Read
- Code Injection
- Netdata, Unauthenticated RCE:
- Authentication Bypass
- Command Injection
- Common pattern in discovered vulnerabilities
- Finding more vulnerabilities!