cve-2022-46169
Vulnerability from cvelistv5
Published
2022-12-05 20:48
Modified
2024-08-03 14:24
Severity ?
EPSS score ?
Summary
Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the client is authorized. This authorization can be bypassed due to the implementation of the `get_client_addr` function. The function is defined in the file `lib/functions.php` and checks serval `$_SERVER` variables to determine the IP address of the client. The variables beginning with `HTTP_` can be arbitrarily set by an attacker. Since there is a default entry in the `poller` table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header `Forwarded-For: <TARGETIP>`. This way the function `get_client_addr` returns the IP address of the server running Cacti. The following call to `gethostbyaddr` will resolve this IP address to the hostname of the server, which will pass the `poller` hostname check because of the default entry. After the authorization of the `remote_agent.php` file is bypassed, an attacker can trigger different actions. One of these actions is called `polldata`. The called function `poll_for_data` retrieves a few request parameters and loads the corresponding `poller_item` entries from the database. If the `action` of a `poller_item` equals `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to execute a PHP script. The attacker-controlled parameter `$poller_id` is retrieved via the function `get_nfilter_request_var`, which allows arbitrary strings. This variable is later inserted into the string passed to `proc_open`, which leads to a command injection vulnerability. By e.g. providing the `poller_id=;id` the `id` command is executed. In order to reach the vulnerable call, the attacker must provide a `host_id` and `local_data_id`, where the `action` of the corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both of these ids (`host_id` and `local_data_id`) can easily be bruteforced. The only requirement is that a `poller_item` with an `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a productive instance because this action is added by some predefined templates like `Device - Uptime` or `Device - Polling Time`.
This command injection vulnerability allows an unauthenticated user to execute arbitrary commands if a `poller_item` with the `action` type `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization bypass should be prevented by not allowing an attacker to make `get_client_addr` (file `lib/functions.php`) return an arbitrary IP address. This could be done by not honoring the `HTTP_...` `$_SERVER` variables. If these should be kept for compatibility reasons it should at least be prevented to fake the IP address of the server running Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with `1.2.23` being the first release containing the patch.
References
CISA Known exploited vulnerability
Data from the Known Exploited Vulnerabilities Catalog
Date added: 2023-02-16
Due date: 2023-03-09
Required action: Apply updates per vendor instructions.
Used in ransomware: Unknown
Notes: https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf; https://nvd.nist.gov/vuln/detail/CVE-2022-46169
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:cacti:cacti:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "cacti", "vendor": "cacti", "versions": [ { "lessThan": "1.2.23", "status": "affected", "version": "-", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2022-46169", "options": [ { "Exploitation": "active" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-05-13T17:39:57.218915Z", "version": "2.0.3" }, "type": "ssvc" } }, { "other": { "content": { "dateAdded": "2023-02-16", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2022-46169" }, "type": "kev" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:16:07.313Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-03T14:24:03.319Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf" }, { "name": "https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216" }, { "name": "https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9" }, { "name": "https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "cacti", "vendor": "Cacti", "versions": [ { "status": "affected", "version": "\u003c 1.2.23" } ] } ], "descriptions": [ { "lang": "en", "value": "Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the client is authorized. This authorization can be bypassed due to the implementation of the `get_client_addr` function. The function is defined in the file `lib/functions.php` and checks serval `$_SERVER` variables to determine the IP address of the client. The variables beginning with `HTTP_` can be arbitrarily set by an attacker. Since there is a default entry in the `poller` table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header `Forwarded-For: \u003cTARGETIP\u003e`. This way the function `get_client_addr` returns the IP address of the server running Cacti. The following call to `gethostbyaddr` will resolve this IP address to the hostname of the server, which will pass the `poller` hostname check because of the default entry. After the authorization of the `remote_agent.php` file is bypassed, an attacker can trigger different actions. One of these actions is called `polldata`. The called function `poll_for_data` retrieves a few request parameters and loads the corresponding `poller_item` entries from the database. If the `action` of a `poller_item` equals `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to execute a PHP script. The attacker-controlled parameter `$poller_id` is retrieved via the function `get_nfilter_request_var`, which allows arbitrary strings. This variable is later inserted into the string passed to `proc_open`, which leads to a command injection vulnerability. By e.g. providing the `poller_id=;id` the `id` command is executed. In order to reach the vulnerable call, the attacker must provide a `host_id` and `local_data_id`, where the `action` of the corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both of these ids (`host_id` and `local_data_id`) can easily be bruteforced. The only requirement is that a `poller_item` with an `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a productive instance because this action is added by some predefined templates like `Device - Uptime` or `Device - Polling Time`.\n\nThis command injection vulnerability allows an unauthenticated user to execute arbitrary commands if a `poller_item` with the `action` type `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization bypass should be prevented by not allowing an attacker to make `get_client_addr` (file `lib/functions.php`) return an arbitrary IP address. This could be done by not honoring the `HTTP_...` `$_SERVER` variables. If these should be kept for compatibility reasons it should at least be prevented to fake the IP address of the server running Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with `1.2.23` being the first release containing the patch." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-12-05T20:48:07.852Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf" }, { "name": "https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216" }, { "name": "https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9" }, { "name": "https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b" } ], "source": { "advisory": "GHSA-6p93-p743-35gf", "discovery": "UNKNOWN" }, "title": "Unauthenticated Command Injection" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-46169", "datePublished": "2022-12-05T20:48:07.852Z", "dateReserved": "2022-11-28T17:27:19.998Z", "dateUpdated": "2024-08-03T14:24:03.319Z", "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "cisa_known_exploited": { "cveID": "CVE-2022-46169", "cwes": "[\"CWE-74\"]", "dateAdded": "2023-02-16", "dueDate": "2023-03-09", "knownRansomwareCampaignUse": "Unknown", "notes": "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf; https://nvd.nist.gov/vuln/detail/CVE-2022-46169", "product": "Cacti", "requiredAction": "Apply updates per vendor instructions.", "shortDescription": "Cacti contains a command injection vulnerability that allows an unauthenticated user to execute code.", "vendorProject": "Cacti", "vulnerabilityName": "Cacti Command Injection Vulnerability" }, "fkie_nvd": { "cisaActionDue": "2023-03-09", "cisaExploitAdd": "2023-02-16", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Cacti Command Injection Vulnerability", "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.2.23\", \"matchCriteriaId\": \"B252EEC1-25BE-428B-96CA-22A0E812D3BA\"}]}]}]", "descriptions": "[{\"lang\": \"en\", \"value\": \"Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the client is authorized. This authorization can be bypassed due to the implementation of the `get_client_addr` function. The function is defined in the file `lib/functions.php` and checks serval `$_SERVER` variables to determine the IP address of the client. The variables beginning with `HTTP_` can be arbitrarily set by an attacker. Since there is a default entry in the `poller` table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header `Forwarded-For: \u003cTARGETIP\u003e`. This way the function `get_client_addr` returns the IP address of the server running Cacti. The following call to `gethostbyaddr` will resolve this IP address to the hostname of the server, which will pass the `poller` hostname check because of the default entry. After the authorization of the `remote_agent.php` file is bypassed, an attacker can trigger different actions. One of these actions is called `polldata`. The called function `poll_for_data` retrieves a few request parameters and loads the corresponding `poller_item` entries from the database. If the `action` of a `poller_item` equals `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to execute a PHP script. The attacker-controlled parameter `$poller_id` is retrieved via the function `get_nfilter_request_var`, which allows arbitrary strings. This variable is later inserted into the string passed to `proc_open`, which leads to a command injection vulnerability. By e.g. providing the `poller_id=;id` the `id` command is executed. In order to reach the vulnerable call, the attacker must provide a `host_id` and `local_data_id`, where the `action` of the corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both of these ids (`host_id` and `local_data_id`) can easily be bruteforced. The only requirement is that a `poller_item` with an `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a productive instance because this action is added by some predefined templates like `Device - Uptime` or `Device - Polling Time`.\\n\\nThis command injection vulnerability allows an unauthenticated user to execute arbitrary commands if a `poller_item` with the `action` type `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization bypass should be prevented by not allowing an attacker to make `get_client_addr` (file `lib/functions.php`) return an arbitrary IP address. This could be done by not honoring the `HTTP_...` `$_SERVER` variables. If these should be kept for compatibility reasons it should at least be prevented to fake the IP address of the server running Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with `1.2.23` being the first release containing the patch.\"}, {\"lang\": \"es\", \"value\": \"Cacti es una plataforma de c\\u00f3digo abierto que proporciona un framework de gesti\\u00f3n de fallos y supervisi\\u00f3n operativa robusta y extensible para los usuarios. En las versiones afectadas, una vulnerabilidad de inyecci\\u00f3n de comandos permite a un usuario no autenticado ejecutar c\\u00f3digo arbitrario en un servidor que ejecuta Cacti, si se seleccion\\u00f3 una fuente de datos espec\\u00edfica para cualquier dispositivo monitoreado. La vulnerabilidad reside en el archivo `remote_agent.php`. Se puede acceder a este archivo sin autenticaci\\u00f3n. Esta funci\\u00f3n recupera la direcci\\u00f3n IP del cliente a trav\\u00e9s de `get_client_addr` y resuelve esta direcci\\u00f3n IP en el nombre de host correspondiente a trav\\u00e9s de `gethostbyaddr`. Despu\\u00e9s de esto, se verifica que existe una entrada dentro de la tabla `poller`, donde el nombre de host corresponde al nombre de host resuelto. Si se encuentra dicha entrada, la funci\\u00f3n devuelve \\\"verdadero\\\" y el cliente est\\u00e1 autorizado. Esta autorizaci\\u00f3n se puede omitir debido a la implementaci\\u00f3n de la funci\\u00f3n `get_client_addr`. La funci\\u00f3n se define en el archivo `lib/functions.php` y verifica las variables serval `$_SERVER` para determinar la direcci\\u00f3n IP del cliente. Un atacante puede establecer arbitrariamente las variables que comienzan con `HTTP_`. Dado que hay una entrada predeterminada en la tabla `poller` con el nombre de host del servidor que ejecuta Cacti, un atacante puede omitir la autenticaci\\u00f3n, por ejemplo, proporcionando el encabezado `Forwarded-For: `. De esta forma, la funci\\u00f3n `get_client_addr` devuelve la direcci\\u00f3n IP del servidor que ejecuta Cacti. La siguiente llamada a `gethostbyaddr` resolver\\u00e1 esta direcci\\u00f3n IP en el nombre de host del servidor, que pasar\\u00e1 la verificaci\\u00f3n del nombre de host `poller` debido a la entrada predeterminada. Despu\\u00e9s de omitir la autorizaci\\u00f3n del archivo `remote_agent.php`, un atacante puede desencadenar diferentes acciones. Una de estas acciones se llama \\\"polldata\\\". La funci\\u00f3n llamada `poll_for_data` recupera algunos par\\u00e1metros de solicitud y carga las entradas correspondientes de `poller_item` de la base de datos. Si la `acci\\u00f3n` de un `poller_item` es igual a `POLLER_ACTION_SCRIPT_PHP`, la funci\\u00f3n `proc_open` se usa para ejecutar un script PHP. El par\\u00e1metro controlado por el atacante `$poller_id` se recupera mediante la funci\\u00f3n `get_nfilter_request_var`, que permite cadenas arbitrarias. Esta variable luego se inserta en la cadena pasada a `proc_open`, lo que genera una vulnerabilidad de inyecci\\u00f3n de comando. Por ejemplo, al proporcionar `poller_id=;id`, se ejecuta el comando `id`. Para llegar a la llamada vulnerable, el atacante debe proporcionar un `host_id` y un `local_data_id`, donde la `acci\\u00f3n` del `poller_item` correspondiente est\\u00e1 configurada en `POLLER_ACTION_SCRIPT_PHP`. Ambos identificadores (`host_id` y `local_data_id`) pueden ser f\\u00e1cilmente forzados por fuerza bruta. El \\u00fanico requisito es que exista un `poller_item` con una acci\\u00f3n `POLLER_ACTION_SCRIPT_PHP`. Es muy probable que esto ocurra en una instancia productiva porque esta acci\\u00f3n se agrega mediante algunas plantillas predefinidas como \\\"Device - Uptime` o \\\"Dispositivo - Polling Time\\\". Esta vulnerabilidad de inyecci\\u00f3n de comandos permite a un usuario no autenticado ejecutar comandos arbitrarios si se configura un `poller_item` con el tipo `action` `POLLER_ACTION_SCRIPT_PHP` (`2`). La omisi\\u00f3n de autorizaci\\u00f3n debe evitarse al no permitir que un atacante haga que `get_client_addr` (archivo `lib/functions.php`) devuelva una direcci\\u00f3n IP arbitraria. Esto podr\\u00eda hacerse al no respetar las variables `HTTP_...` `$_SERVER`. Si se deben conservar por razones de compatibilidad, al menos se debe evitar falsificar la direcci\\u00f3n IP del servidor que ejecuta Cacti. Esta vulnerabilidad se ha solucionado en las versiones 1.2.x y 1.3.x, siendo `1.2.23` la primera versi\\u00f3n que contiene el parche.\"}]", "id": "CVE-2022-46169", "lastModified": "2024-11-21T07:30:14.963", "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}", "published": "2022-12-05T21:15:10.527", "references": "[{\"url\": \"https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Mitigation\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Mitigation\", \"Patch\", \"Third Party Advisory\"]}]", "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-74\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-78\"}, {\"lang\": \"en\", \"value\": \"CWE-863\"}]}]" }, "nvd": "{\"cve\":{\"id\":\"CVE-2022-46169\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-12-05T21:15:10.527\",\"lastModified\":\"2024-11-21T07:30:14.963\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the client is authorized. This authorization can be bypassed due to the implementation of the `get_client_addr` function. The function is defined in the file `lib/functions.php` and checks serval `$_SERVER` variables to determine the IP address of the client. The variables beginning with `HTTP_` can be arbitrarily set by an attacker. Since there is a default entry in the `poller` table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header `Forwarded-For: \u003cTARGETIP\u003e`. This way the function `get_client_addr` returns the IP address of the server running Cacti. The following call to `gethostbyaddr` will resolve this IP address to the hostname of the server, which will pass the `poller` hostname check because of the default entry. After the authorization of the `remote_agent.php` file is bypassed, an attacker can trigger different actions. One of these actions is called `polldata`. The called function `poll_for_data` retrieves a few request parameters and loads the corresponding `poller_item` entries from the database. If the `action` of a `poller_item` equals `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to execute a PHP script. The attacker-controlled parameter `$poller_id` is retrieved via the function `get_nfilter_request_var`, which allows arbitrary strings. This variable is later inserted into the string passed to `proc_open`, which leads to a command injection vulnerability. By e.g. providing the `poller_id=;id` the `id` command is executed. In order to reach the vulnerable call, the attacker must provide a `host_id` and `local_data_id`, where the `action` of the corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both of these ids (`host_id` and `local_data_id`) can easily be bruteforced. The only requirement is that a `poller_item` with an `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a productive instance because this action is added by some predefined templates like `Device - Uptime` or `Device - Polling Time`.\\n\\nThis command injection vulnerability allows an unauthenticated user to execute arbitrary commands if a `poller_item` with the `action` type `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization bypass should be prevented by not allowing an attacker to make `get_client_addr` (file `lib/functions.php`) return an arbitrary IP address. This could be done by not honoring the `HTTP_...` `$_SERVER` variables. If these should be kept for compatibility reasons it should at least be prevented to fake the IP address of the server running Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with `1.2.23` being the first release containing the patch.\"},{\"lang\":\"es\",\"value\":\"Cacti es una plataforma de c\u00f3digo abierto que proporciona un framework de gesti\u00f3n de fallos y supervisi\u00f3n operativa robusta y extensible para los usuarios. En las versiones afectadas, una vulnerabilidad de inyecci\u00f3n de comandos permite a un usuario no autenticado ejecutar c\u00f3digo arbitrario en un servidor que ejecuta Cacti, si se seleccion\u00f3 una fuente de datos espec\u00edfica para cualquier dispositivo monitoreado. La vulnerabilidad reside en el archivo `remote_agent.php`. Se puede acceder a este archivo sin autenticaci\u00f3n. Esta funci\u00f3n recupera la direcci\u00f3n IP del cliente a trav\u00e9s de `get_client_addr` y resuelve esta direcci\u00f3n IP en el nombre de host correspondiente a trav\u00e9s de `gethostbyaddr`. Despu\u00e9s de esto, se verifica que existe una entrada dentro de la tabla `poller`, donde el nombre de host corresponde al nombre de host resuelto. Si se encuentra dicha entrada, la funci\u00f3n devuelve \\\"verdadero\\\" y el cliente est\u00e1 autorizado. Esta autorizaci\u00f3n se puede omitir debido a la implementaci\u00f3n de la funci\u00f3n `get_client_addr`. La funci\u00f3n se define en el archivo `lib/functions.php` y verifica las variables serval `$_SERVER` para determinar la direcci\u00f3n IP del cliente. Un atacante puede establecer arbitrariamente las variables que comienzan con `HTTP_`. Dado que hay una entrada predeterminada en la tabla `poller` con el nombre de host del servidor que ejecuta Cacti, un atacante puede omitir la autenticaci\u00f3n, por ejemplo, proporcionando el encabezado `Forwarded-For: `. De esta forma, la funci\u00f3n `get_client_addr` devuelve la direcci\u00f3n IP del servidor que ejecuta Cacti. La siguiente llamada a `gethostbyaddr` resolver\u00e1 esta direcci\u00f3n IP en el nombre de host del servidor, que pasar\u00e1 la verificaci\u00f3n del nombre de host `poller` debido a la entrada predeterminada. Despu\u00e9s de omitir la autorizaci\u00f3n del archivo `remote_agent.php`, un atacante puede desencadenar diferentes acciones. Una de estas acciones se llama \\\"polldata\\\". La funci\u00f3n llamada `poll_for_data` recupera algunos par\u00e1metros de solicitud y carga las entradas correspondientes de `poller_item` de la base de datos. Si la `acci\u00f3n` de un `poller_item` es igual a `POLLER_ACTION_SCRIPT_PHP`, la funci\u00f3n `proc_open` se usa para ejecutar un script PHP. El par\u00e1metro controlado por el atacante `$poller_id` se recupera mediante la funci\u00f3n `get_nfilter_request_var`, que permite cadenas arbitrarias. Esta variable luego se inserta en la cadena pasada a `proc_open`, lo que genera una vulnerabilidad de inyecci\u00f3n de comando. Por ejemplo, al proporcionar `poller_id=;id`, se ejecuta el comando `id`. Para llegar a la llamada vulnerable, el atacante debe proporcionar un `host_id` y un `local_data_id`, donde la `acci\u00f3n` del `poller_item` correspondiente est\u00e1 configurada en `POLLER_ACTION_SCRIPT_PHP`. Ambos identificadores (`host_id` y `local_data_id`) pueden ser f\u00e1cilmente forzados por fuerza bruta. El \u00fanico requisito es que exista un `poller_item` con una acci\u00f3n `POLLER_ACTION_SCRIPT_PHP`. Es muy probable que esto ocurra en una instancia productiva porque esta acci\u00f3n se agrega mediante algunas plantillas predefinidas como \\\"Device - Uptime` o \\\"Dispositivo - Polling Time\\\". Esta vulnerabilidad de inyecci\u00f3n de comandos permite a un usuario no autenticado ejecutar comandos arbitrarios si se configura un `poller_item` con el tipo `action` `POLLER_ACTION_SCRIPT_PHP` (`2`). La omisi\u00f3n de autorizaci\u00f3n debe evitarse al no permitir que un atacante haga que `get_client_addr` (archivo `lib/functions.php`) devuelva una direcci\u00f3n IP arbitraria. Esto podr\u00eda hacerse al no respetar las variables `HTTP_...` `$_SERVER`. Si se deben conservar por razones de compatibilidad, al menos se debe evitar falsificar la direcci\u00f3n IP del servidor que ejecuta Cacti. Esta vulnerabilidad se ha solucionado en las versiones 1.2.x y 1.3.x, siendo `1.2.23` la primera versi\u00f3n que contiene el parche.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"cisaExploitAdd\":\"2023-02-16\",\"cisaActionDue\":\"2023-03-09\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"Cacti Command Injection Vulnerability\",\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-74\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"},{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.2.23\",\"matchCriteriaId\":\"B252EEC1-25BE-428B-96CA-22A0E812D3BA\"}]}]}],\"references\":[{\"url\":\"https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mitigation\",\"Patch\",\"Third Party Advisory\"]}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.