Cacti is an open-source network monitoring and graphing tool that allows users to collect, analyze, and visualize data from a variety of network devices and servers. It is written in PHP and uses the open-source RRDtool to store and display performance data in graphs and tables.

Cacti can be used to monitor a wide range of network devices, including routers, switches, servers, and many others. It can monitor metrics such as CPU load, memory usage, network traffic, and other performance indicators.

Recently, a vulnerability was discovered in Cacti that could allow an attacker to execute arbitrary code on its residing server. The severity of this vulnerability is high, as it’s exploitable remotely and without user interaction whatsoever, giving it a critical 9.8 CVSS score.

The Vulnerability


The vulnerability appeared in the remote_agent.php file, which is accessible without authentication. This file is responsible for retrieving data from monitored devices and storing it in the Cacti database.

The issue arises when the polldata function is called, which retrieves a few request parameters and loads the corresponding poller_item entries from the database. If the action of a poller_item equals POLLER_ACTION_SCRIPT_PHP, the function proc_open is used to execute a PHP script.

The attacker-controlled parameter $poller_id is retrieved via the function get_nfilter_request_var, which allows arbitrary strings. This variable is later inserted into the string that is passed to proc_open, which leads to a command injection vulnerability (CWE-77).

To trigger the vulnerability, the attacker needs to bypass the authentication mechanism implemented in the remote_agent.php file. This mechanism verifies whether the client is authorized to access the service by checking whether the client's IP address matches an entry in the poller table by iterating through each record.

It does so using the function remote_client_authorized() that retrieves the IP address of the client via get_client_addr() and links it to the proper hostname via gethostbyaddr(), which is later compared with a database record.

The function called get_client_addr() checks several $_SERVER variables to determine the IP address of the client. The authorization mechanism can be bypassed by exploiting the implementation of the get_client_addr() defined in the lib/functions.php file, which can be done by simply modifying the HTTP request header, due to a malfunction in the way in which it’s handled.

Since there is a default entry in the poller table with the hostname of the server running Cacti, an attacker can bypass the authentication by injecting the header Forwarded-For: <TARGETIP>.

This way, the function get_client_addr() returns the IP address of the server running Cacti. The following call to gethostbyaddr() will resolve this IP address to the hostname of the server, which will pass the poller hostname check because of the previously mentioned default entry.

Once the attacker has bypassed the authentication mechanism, they can execute arbitrary code on the server running Cacti by exploiting the command injection vulnerability in the polldata function.

The only requirement for the attacker to reach the vulnerable call is that a poller_item with a POLLER_ACTION_SCRIPT_PHP action exists. This action is added by some predefined templates like Device - Uptime or Device - Polling Time and is very likely to be present in a production instance.

The attacker needs to provide the poller_id parameter, which is later inserted into the string passed to proc_open. By providing a semicolon followed by a command, the attacker can execute arbitrary commands on the server.

This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches, with 1.2.23 being the first release containing the patch. To prevent this vulnerability, administrators should update their Cacti installation to the patched versions mentioned in the advisory

Conclusion

The vulnerability in Cacti can have severe consequences for affected systems, such as unauthorized access, data theft, system compromise, and further exploitation of the network infrastructure.

Furthermore, since Cacti is often used to monitor critical network devices and servers, the impact of a successful attack can be significant. The compromised monitoring system may provide a gateway for attackers to gain control over other connected devices, leading to a broader security breach and potential disruption of services.

It is crucial for administrators to address this vulnerability by updating their Cacti installation to the patched versions mentioned in the advisory. Additionally, it is recommended to review and reinforce the overall security posture of the monitoring infrastructure, including access controls, network segmentation, and regular vulnerability assessments.

And to conclude this article, we’d like to invite you to check if your Cacti server is vulnerable by visiting our feed. DataGrid Surface has put a lot of effort into building a scanner that’s actively searching the web for vulnerable devices and infrastructure, not only to CVE-2022-46169 but also to many other vulnerabilities.


Subscribe to be updated on the new content!

Subscription Form (#4)