CVE-2002-1479 in Cacti
Summary
by MITRE
Cacti before 0.6.8 stores a MySQL username and password in plaintext in config.php, which has world-readable permissions, which allows local users modify databases as the Cacti user and possibly gain privileges.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/23/2024
The vulnerability described in CVE-2002-1479 represents a critical security flaw in the Cacti network monitoring system version 0.6.8 and earlier. This issue stems from the improper handling of database credentials within the application's configuration file, creating a persistent security weakness that affects system integrity and data protection. The vulnerability specifically targets the configuration management practices of the Cacti monitoring platform, which is widely used for network performance monitoring and graphing.
The technical flaw manifests in the plaintext storage of MySQL database credentials within the config.php file, a configuration file that is accessible to all users on the system due to world-readable permissions. This design decision fundamentally violates security best practices by exposing sensitive authentication information without proper access controls or encryption mechanisms. The configuration file contains both the MySQL username and password in clear text format, making it trivial for any local user with access to the system to extract these credentials. This weakness falls under the category of improper credential handling and configuration management issues that are commonly classified as CWE-312 (Sensitive Data in Memory) and CWE-522 (Insufficiently Protected Credentials).
The operational impact of this vulnerability extends beyond simple credential exposure, as it provides local attackers with the ability to modify database contents as the Cacti user account. This elevated privilege level allows attackers to manipulate monitoring data, potentially leading to false reporting, data corruption, or complete system compromise. The vulnerability creates a pathway for privilege escalation within the context of the Cacti application, as the database credentials grant access to the underlying monitoring infrastructure. Attackers could leverage these credentials to modify network monitoring data, alter performance metrics, or even gain access to additional system resources that are accessible through the database connection.
From a cybersecurity perspective, this vulnerability aligns with several ATT&CK framework techniques including T1566 (Phishing for Information) through credential harvesting and T1078 (Valid Accounts) by leveraging legitimate database access. The attack surface is particularly concerning because it requires only local system access, making it accessible to users with minimal privileges who might otherwise have no direct access to sensitive monitoring data. The vulnerability represents a classic case of insecure configuration management that could be exploited to compromise the integrity of network monitoring systems, potentially leading to undetected security breaches or false security assessments. Organizations relying on Cacti for network monitoring would be particularly vulnerable to this type of attack, as the monitoring data integrity is directly compromised by the exposure of database credentials.
The mitigation strategy for CVE-2002-1479 requires immediate implementation of proper file permissions and credential management practices. System administrators should ensure that the config.php file has restrictive permissions, preventing world-readable access and limiting access to only authorized personnel. The recommended approach includes setting appropriate file ownership and permissions using standard Unix/Linux file permission models, typically restricting access to the root user or specific administrative accounts. Additionally, organizations should consider implementing encrypted credential storage mechanisms or external credential management solutions to prevent plaintext storage of database credentials. The vulnerability highlights the importance of regular security audits and configuration reviews, as well as the necessity of keeping software components updated to address known security issues. This particular vulnerability demonstrates how seemingly minor configuration issues can have significant security implications, emphasizing the need for comprehensive security practices throughout the software development lifecycle and deployment environments.