Get in Touch
Cacti vulnerability is a critical security issue
Target Industry
Indiscriminate, opportunistic targeting.
Overview
Severity Level: Critical – Common Vulnerability Scoring System (CVSS) base score of 9.8 – exploitation can result in unauthenticated remote command injection, allowing an actor to change partial contents or configuration on the system.
The vulnerability has been given the following common vulnerability and exposure (CVE): CVE-2022-46169
A command injection vulnerability exists within the remote_agent.php file. It is possible for this file to be accessed without the need for authentication.
Impact
Successful exploitation of this vulnerability would allow an attacker to run arbitrary commands under the same user privilege that the web process was running with. Following a successful exploitation, threat actors have been observed installing botnets, including the Mirai botnet.
Vulnerability Detection
Cacti developers have released information stating that the affected version is seen as v1.2.22. Where this version is deployed, patches should be applied.
Affected Products
Cacti v1.2.22
Containment, Mitigations & Remediations
The current recommendations are to patch Cacti instances to the following versions:
– v1.2.23
– v1.3.0
The developers of Cacti have released advice on how to prevent the disclosed command injection and authorisation bypass on the Cacti GitHub.
Authorisation bypass can be mitigated by not allowing an attacker to make “get_client_addr” return an arbitrary IP address. This is achieved by not honouring the “HTTP_…” & “$SERVER” variables.
Indicators of Compromise
At the current time, there are no known IOCs available.
Threat Landscape
Cacti is an open-source, web-based network monitoring tool utilised widely by IT professionals. As such, opportunistic targeting with this tool could lead to lateral movement within organisations.
Threat Group
At the time of writing this report, no threat groups have been identified actively using this vulnerability.
Mitre Methodologies
T1133 – External Remote Services
T1190 – Exploit Public-Facing Application
TA0002 – Execution
Further Information
Bleeping Computer Article – Cacti Critical Bug
GitHub – Cacti advisory
MITRE CVE-2022-46169