The bulk of Cacti servers that are accessible via the internet has not been updated to address a severe security flaw that was just patched and is currently being actively exploited. Censys, a platform for managing attack surfaces, reports that only 26 out of a total of 6,427 servers were fully running a patched version of Cacti (1.2.23 and 1.3.0).
Affected versions of the open-source, web-based monitoring tool are vulnerable to CVE-2022-46169 (CVSS score: 9.8). A compilation of authentication bypass and command injection that allows an unauthenticated user to carry out arbitrary code. SonarSource was the source of the initial information on the vulnerability, which affects versions 1.2.22 and lower. On December 2, 2022, the problem was reported to the project maintainers.
Unpatched Versions Of Vulnerabilities In Cacti Servers
Stefan Schiller, a SonarSource researcher, stated earlier this month that “a hostname-based authorisation check is not performed correctly for most installations of Cacti,” and that “unsanitized user input is transmitted to a string used to execute an external command.”
The Shadowserver Foundation and GreyNoise have issued warnings about malicious assaults coming from one IP address with a location in Ukraine due to the vulnerability’s public publication, which has also resulted in “exploitation attempts.”
Brazil has the most unpatched versions (1,320), followed by Indonesia, the United States, China, Bangladesh, Russia, Ukraine, the Philippines, Thailand, and the United Kingdom.
Active Exploitation Of SugarCRM Flaw To Drop Web Shells
The development occurred while SugarCRM released patches for a vulnerability that had been made public and was actively leveraged to infect 354 different hosts with a PHP-based web shell, according to a separate advisory from Censys.
The flaw, identified as CVE-2023-22952, relates to an instance of incomplete input validation that may allow the injection of arbitrary PHP code. Versions 11.0.5 and 12.0.2 of SugarCRM both address it.
In the attacks described by Censys, the web shell is utilized as a conduit to carry out extra commands with the same permissions as the person operating the web service on the infected machine. Infections have been documented primarily in the U.S., Germany, Australia, France, and the United Kingdom.
It’s typical for hostile actors to utilize recently discovered vulnerabilities to launch attacks; thus, users must act swiftly to remedy the security gaps.
6,427 Cacti Servers Exposed On The Web
The developer fixed the vulnerability and also offered guidance on avoiding authorization bypass and command injection. The same month, technical information regarding the problem and potential uses for it, along with proof-of-concept (PoC) exploit code that may be used in assaults, began to surface.
A top code quality and security provider, SonarSource, technologies, published a technical write-up of their discovery and a brief video illustrative of the vulnerability on January 3. The Shadowserver Foundation’s security researchers discovered malware-delivery attempts throughout the same day.
The number of exploitation attempts for the CVE-2022-46169 vulnerability in Cacti grew last week, according to data gathered by Shadowserver researchers, and the current total is less than twenty. At first, the exploits set up botnets using malware like Mirai. IRC botnet (PERL-based). This opened a reverse shell on the host and was ordered to perform port scans, another exploit that was installed. The more recent attacks are only scanning for weaknesses.
There are 6,427 Cacti hosts exposed on the web, according to research from the Censys attack surface search platform for Internet-connected devices. However, it is only sometimes feasible to tell how many of them are running a vulnerable version or have updated. However, the business was able to identify 1,637 Cacti hosts that were accessible through the internet and were CVE-2022-46169 susceptible. A large number of these hosts (465) were running the monitoring program’s April 2021 release version 1.1.38.
Only 26 Cacti hosts were running an upgraded release that was immune to the significant issue out of all the Cacti hosts for which Censys could determine the version number. From an attacker’s point of view, accessing an organization’s Cacti instance gives them a chance to discover the kinds of devices on the network and their local IP addresses.
Hackers benefit from this kind of information because it gives them a clear picture of the network and the hosts they might target in an effort to establish a foothold or move on to more valuable systems.
Conclusion
Most Cacti installations exposed to the internet still have a critical-severity command injection vulnerability that is being used in attacks. Cacti is a front-end application for the RRDtool data logging tool. It is a web-based network monitoring and graphing application that is open source and provides an operational monitoring and fault management architecture. Early in December 2022, the tool’s developers made available patches for CVE-2022-46169. This is a critical severity (CVSS score 9.8) command injection flaw that might allow unauthorized attackers to carry out code on the Cacti server if a specific data source was used.
