Cacti vulnerability is a critical security issue

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Severity Level: Critical – Common Vulnerability Scoring System (CVSS) base score of 9.8 – exploitation can result in unauthenticated remote command injection, allowing an actor to change partial contents or configuration on the system.

The vulnerability has been given the following common vulnerability and exposure (CVE): CVE-2022-46169

A command injection vulnerability exists within the remote_agent.php file. It is possible for this file to be accessed without the need for authentication.

Impact

Successful exploitation of this vulnerability would allow an attacker to run arbitrary commands under the same user privilege that the web process was running with. Following a successful exploitation, threat actors have been observed installing botnets, including the Mirai botnet.

Vulnerability Detection

Cacti developers have released information stating that the affected version is seen as v1.2.22. Where this version is deployed, patches should be applied.

Affected Products

Cacti v1.2.22

Containment, Mitigations & Remediations

The current recommendations are to patch Cacti instances to the following versions:

– v1.2.23
– v1.3.0

The developers of Cacti have released advice on how to prevent the disclosed command injection and authorisation bypass on the Cacti GitHub.

Authorisation bypass can be mitigated by not allowing an attacker to make “get_client_addr” return an arbitrary IP address. This is achieved by not honouring the “HTTP_…” & “$SERVER” variables.

Indicators of Compromise

At the current time, there are no known IOCs available.

Threat Landscape

Cacti is an open-source, web-based network monitoring tool utilised widely by IT professionals. As such, opportunistic targeting with this tool could lead to lateral movement within organisations.

Threat Group

At the time of writing this report, no threat groups have been identified actively using this vulnerability.

Mitre Methodologies

T1133 – External Remote Services
T1190 – Exploit Public-Facing Application
TA0002 – Execution

Further Information

Bleeping Computer Article – Cacti Critical Bug

GitHub – Cacti advisory
MITRE CVE-2022-46169