Open-source, web-based network monitoring and graphing tool Cacti received an update recently to fix a critical-severity security vulnerability that enabled executing arbitrary code on a server running Cacti.
CVE-2022-46169
It is an open-source, web-based network monitoring and graphing tool that offers users a framework for fault management and operational monitoring.
A command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the remote_agent.php file.
This file can be accessed without authentication.After the authorization of the remote_agent.php file is bypassed, an attacker can trigger different actions.
The attacker-controlled parameter $poller_id is retrieved via the function get_nfilter_request_var, which allows arbitrary strings.
A command injection vulnerability results from the later insertion of this variable into the string provided to proc_open. For instance, the id command is executed when poller_id=;id is specified.
When the action of the corresponding poller item is set to POLLER_ACTION_SCRIPT_PHP, the attacker needs to supply the host_id and local_data_id in order to access the vulnerable call.
Impacted Cacti Version
Cacti version 1.22.2
Fixed Cacti Version
1.2.23 or 1.3.0
Mitigation Steps
Mitigations steps are available at Cacti’s advisory.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment