Headline
Cacti Servers Under Attack as Majority Fail to Patch Critical Vulnerability
A majority of internet-exposed Cacti servers have not been patched against a recently patched critical security vulnerability that has come under active exploitation in the wild. That’s according to attack surface management platform Censys, which found only 26 out of a total of 6,427 servers to be running a patched version of Cacti (1.2.23 and 1.3.0). The issue in question relates to
Server Security / Patch Management
A majority of internet-exposed Cacti servers have not been patched against a recently patched critical security vulnerability that has come under active exploitation in the wild.
That’s according to attack surface management platform Censys, which found only 26 out of a total of 6,427 servers to be running a patched version of Cacti (1.2.23 and 1.3.0).
The issue in question relates to CVE-2022-46169 (CVSS score: 9.8), a combination of authentication bypass and command injection that enables an unauthenticated user to execute arbitrary code on an affected version of the open-source, web-based monitoring solution.
Details about the flaw, which impacts versions 1.2.22 and below, were first revealed by SonarSource. The flaw was reported to the project maintainers on December 2, 2022.
“A hostname-based authorization check is not implemented safely for most installations of Cacti,” SonarSource researcher Stefan Schiller noted earlier this month, adding “unsanitized user input is propagated to a string used to execute an external command.”
The public disclosure of the vulnerability has also led to “exploitation attempts,” with the Shadowserver Foundation and GreyNoise warning of malicious attacks originating from one IP address located in Ukraine so far.
A majority of the unpatched versions (1,320) are located in Brazil, followed by Indonesia, the U.S., China, Bangladesh, Russia, Ukraine, the Philippines, Thailand, and the U.K.
SugarCRM Flaw Actively Exploited to Drop Web Shells
The development comes as SugarCRM shipped fixes for a publicly disclosed vulnerability that has also been actively weaponized to drop a PHP-based web shell on 354 unique hosts, Censys said in an independent advisory.
The bug, tracked as CVE-2023-22952, concerns a case of missing input validation that could result in injection of arbitrary PHP code. It has been addressed in SugarCRM versions 11.0.5 and 12.0.2.
In the attacks detailed by Censys, the web shell is used as a conduit to execute additional commands on the infected machine with the same permissions as the user running the web service. A majority of the infections have been reported in the U.S., Germany, Australia, France, and the U.K.
It’s not uncommon for malicious actors to capitalize on newly disclosed vulnerabilities to carry out their attacks, making it imperative that users move quickly plug the security holes.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Critical security flaws in Cacti, Realtek, and IBM Aspera Faspex are being exploited by various threat actors in hacks targeting unpatched systems. This entails the abuse of CVE-2022-46169 (CVSS score: 9.8) and CVE-2021-35394 (CVSS score: 9.8) to deliver MooBot and ShellBot (aka PerlBot), Fortinet FortiGuard Labs said in a report published this week. CVE-2022-46169 relates to a critical
Cacti version 1.2.22 suffers from a remote command execution vulnerability.
This Metasploit module exploits CVE-2023-22952, a remote code execution vulnerability in SugarCRM 11.0 Enterprise, Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and Serve versions prior to 12.0.2.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on February 2 added two security flaws to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation. The first of the two vulnerabilities is CVE-2022-21587 (CVSS score: 9.8), a critical issue impacting versions 12.2.3 to 12.2.11 of the Oracle Web Applications Desktop Integrator product. "Oracle
This Metasploit module exploits an unauthenticated command injection vulnerability in Cacti versions through 1.2.22 in order to achieve unauthenticated remote code execution as the www-data user.
In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.
Debian Linux Security Advisory 5298-1 - Two security vulnerabilities have been discovered in Cacti, a web interface for graphing of monitoring systems, which could result in unauthenticated command injection or LDAP authentication bypass.
Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the client is authorized. This authorization can be bypassed due to the implementation of the `get_client_addr` function. The function is defined in the file `lib/functions.php` and checks serval `$_SERVE...