CVE-2022-46169: Critical vulnerability affects Cacti network graphing solution
Open-source, web-based network monitoring and graphing tool Cacti received an update recently to fix a critical-severity security vulnerability that enabled executing arbitrary code on a server running Cacti.
Cacti provides a robust and extensible operational monitoring and fault management framework for users around the world. Is also a complete network graphing solution designed to harness the power of RRDTool‘s data storage and graphing functionality.
The flaw, tracked as CVE-2022-46169, is a command injection vulnerability that allows unauthenticated attackers to execute arbitrary code on a server running Cacti. The issue has a CVSS severity score of 9.8. The vulnerability exists in the remote_agent.php file. This file can be accessed without authentication.
“After the authorization of the remote_agent.php file is bypassed, an attacker can trigger different actions. One of these actions is called polldata:
“The called function poll_for_data retrieves a few request parameters and loads the corresponding poller_item entries from the database. If the action of a poller_item equals POLLER_ACTION_SCRIPT_PHP, the function proc_open is used to execute a PHP script:
The attacker-controlled parameter $poller_id is retrieved via the function get_nfilter_request_var, which allows arbitrary strings. This variable is later inserted into the string passed to proc_open, which leads to a command injection vulnerability. By e.g. providing the poller_id=;id the id command is executed,” read the security advisories.
CVE-2022-46169 flaw affects all installations for Cacti version 1.22.2. Fortunately, patches are already available. Cacti users are advised to update to the fixed versions (1.2.23 or 1.3.0).