| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 8.9 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as critical, has been found in Cacti. This impacts an unknown function of the file remote_agent.php of the component Request Parameter Handler. The manipulation leads to injection. This vulnerability is uniquely identified as CVE-2022-46169. The attack is possible to be carried out remotely. Moreover, an exploit is present. It is advisable to upgrade the affected component.
Details
A vulnerability was found in Cacti (Log Management Software) (affected version unknown) and classified as critical. This issue affects an unknown functionality of the file remote_agent.php of the component Request Parameter Handler. The manipulation with an unknown input leads to a injection vulnerability. Using CWE to declare the problem leads to CWE-74. The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the client is authorized. This authorization can be bypassed due to the implementation of the `get_client_addr` function. The function is defined in the file `lib/functions.php` and checks serval `$_SERVER` variables to determine the IP address of the client. The variables beginning with `HTTP_` can be arbitrarily set by an attacker. Since there is a default entry in the `poller` table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header `Forwarded-For: <TARGETIP>`. This way the function `get_client_addr` returns the IP address of the server running Cacti. The following call to `gethostbyaddr` will resolve this IP address to the hostname of the server, which will pass the `poller` hostname check because of the default entry. After the authorization of the `remote_agent.php` file is bypassed, an attacker can trigger different actions. One of these actions is called `polldata`. The called function `poll_for_data` retrieves a few request parameters and loads the corresponding `poller_item` entries from the database. If the `action` of a `poller_item` equals `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to execute a PHP script. The attacker-controlled parameter `$poller_id` is retrieved via the function `get_nfilter_request_var`, which allows arbitrary strings. This variable is later inserted into the string passed to `proc_open`, which leads to a command injection vulnerability. By e.g. providing the `poller_id=;id` the `id` command is executed. In order to reach the vulnerable call, the attacker must provide a `host_id` and `local_data_id`, where the `action` of the corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both of these ids (`host_id` and `local_data_id`) can easily be bruteforced. The only requirement is that a `poller_item` with an `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a productive instance because this action is added by some predefined templates like `Device - Uptime` or `Device - Polling Time`. This command injection vulnerability allows an unauthenticated user to execute arbitrary commands if a `poller_item` with the `action` type `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization bypass should be prevented by not allowing an attacker to make `get_client_addr` (file `lib/functions.php`) return an arbitrary IP address. This could be done by not honoring the `HTTP_...` `$_SERVER` variables. If these should be kept for compatibility reasons it should at least be prevented to fake the IP address of the server running Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with `1.2.23` being the first release containing the patch.
The weakness was disclosed 12/06/2022 as GHSA-6p93-p743-35gf. The advisory is shared at github.com. The identification of this vulnerability is CVE-2022-46169 since 11/28/2022. Technical details as well as a public exploit are known. MITRE ATT&CK project uses the attack technique T1055 for this issue.
The exploit is available at exploit-db.com. It is declared as attacked. By approaching the search of inurl:remote_agent.php it is possible to find vulnerable targets with Google Hacking. The CISA Known Exploited Vulnerabilities Catalog lists this issue since 02/16/2023 with a due date of 03/09/2023:
Apply updates per vendor instructions.Upgrading eliminates this vulnerability. Applying the patch 7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the vulnerability database at Exploit-DB (51166). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Type
Name
License
Website
- Product: https://github.com/Cacti/cacti/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 9.0VulDB Meta Temp Score: 8.9
VulDB Base Score: 7.3
VulDB Temp Score: 7.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 9.8
NVD Vector: 🔍
CNA Base Score: 9.8
CNA Vector (GitHub, Inc.): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: InjectionCWE: CWE-74 / CWE-707 / CWE-20
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Attacked
Download: 🔍
Google Hack: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
KEV Added: 🔍
KEV Due: 🔍
KEV Remediation: 🔍
KEV Ransomware: 🔍
KEV Notice: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Patch: 7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216
Timeline
11/28/2022 🔍12/06/2022 🔍
12/06/2022 🔍
10/20/2024 🔍
Sources
Product: github.comAdvisory: GHSA-6p93-p743-35gf
Status: Confirmed
CVE: CVE-2022-46169 (🔍)
GCVE (CVE): GCVE-0-2022-46169
GCVE (VulDB): GCVE-100-214817
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 12/06/2022 08:23Updated: 10/20/2024 15:55
Changes: 12/06/2022 08:23 (51), 04/28/2024 08:44 (26), 06/29/2024 03:20 (12), 09/27/2024 13:18 (2), 10/20/2024 15:55 (3)
Complete: 🔍
Cache ID: 216::103
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.