CVE-2020-28907: 
NixOS vulnerability analysis and mitigation

Nagios Fusion 4.1.8 and earlier contains a privilege escalation vulnerability (CVE-2020-28907) that allows escalation of privileges or code execution as root via vectors related to download of an untrusted update package in upgradetolatest.sh. This vulnerability was discovered and reported to Nagios in October 2020 and was fixed in November 2020 (Skylight Blog, Hacker News).

The vulnerability stems from incorrect SSL certificate validation in Nagios Fusion 4.1.8 and earlier, specifically in the upgradetolatest.sh script. The flaw allows attackers to exploit the download of untrusted update packages to escalate privileges to root or execute arbitrary code with root privileges (GBHackers).

If successfully exploited, this vulnerability allows attackers to escalate privileges from apache user to root access and execute arbitrary code with root privileges on the affected Nagios Fusion server. This could lead to complete compromise of the monitoring infrastructure (Skylight Blog).

The vulnerability was patched in November 2020. Organizations running affected versions of Nagios Fusion should upgrade to a version newer than 4.1.8. The fix includes proper validation of SSL certificates and update packages in the upgradetolatest.sh script (Hacker News).

The vulnerability was part of a larger disclosure of 13 critical vulnerabilities in Nagios products that gained significant attention in the security community. Security researchers emphasized how these vulnerabilities could be chained together to compromise entire monitoring infrastructures, particularly in telecommunications and managed service provider environments (Skylight Blog, Hacker News).