www.belgium.be Logo of the federal government

WARNING: HACKERS ARE ACTIVELY EXPLOITING AN UNAUTHENTICATED CRITICAL COMMAND INJECTION VULNERABILITY IN CACTI, PATCH IMMEDIATELY!

Reference: 
Advisory #2023-08
Version: 
1.0
Affected software: 
Cacti v. 1.2.22
Type: 
Unauthenticated command injection
CVE/CVSS: 

CVE-2022-46169 CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf

Risks

Cacti is an operational and fault management monitoring solution for network devices with a graphical user interface.

Gaining access to the Cacti instance of an organization gives an attacker the opportunity to collect intelligence about the type of devices on the network and the associated IP addresses. Attackers can use the acquired intelligence to gain a foothold and/or to move laterally inside the network Attackers are actively exploiting CVE-2022-46169.

Observations indicate that attackers are leveraging CVE-2022-46169 to install botnets, such as the Mirai malware and/or a reverse shell on the host with the intent to run port scans.

The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity. If your organization has already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident.

Description

The attack does not require user interaction and can be executed remotely without privileges.

This command injection vulnerability can be used to execute arbitrary commands if a “poller_item” with the action type “poller_action_script_php” (2) is configured.

CVE-2022-46169 is a command injection vulnerability that resides in the “remote_agent.php” file, which can be accessed without authentication.

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends Windows system administrators to take the following actions:

Update vulnerable Cacti instances immediately to the most recent build available: https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf

Upscale monitoring and detection capabilities to detect any related suspicious activity to ensure a fast response in case of an intrusion.

References

https://securityaffairs.com/140797/hacking/cacti-servers-cve-2022-46169-flaw.html