CVE-2020-28901: 
NixOS vulnerability analysis and mitigation

Command Injection in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation or Code Execution as root via vectors related to corrupt component installation in cmd_subsys.php. The vulnerability was discovered and reported to Nagios in October 2020 and was remediated in November 2020 (Skylight Blog).

The vulnerability exists in the cmd_subsys.php script where improper input validation allows for command injection. The vulnerability has a CVSS v3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and CVSS v2.0 Base Score of 10.0 HIGH (Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C). The issue is classified as CWE-77: Improper Neutralization of Special Elements used in a Command (NVD).

The vulnerability allows attackers to escalate privileges from apache to nagios via command injection on the componentdir parameter in cmdsubsys.php. In a telco setting, where a telco is monitoring thousands of sites, if a customer site is fully compromised, an attacker can use the vulnerability to compromise the telco, and then every other monitored customer site (Hacker News).

The vulnerability was patched in November 2020. Organizations should upgrade their Nagios Fusion installations to versions newer than 4.1.8 to protect against this vulnerability (Nagios Changelog).

Security researchers emphasized that the effort required to find and exploit these vulnerabilities is negligible for sophisticated attackers, particularly nation-states. The discovery highlighted concerns about the security of third-party technology hubs and the implicit trust given to their tools when deployed on critical assets (Skylight Blog).