If you’re running the Cacti network monitoring solution and you haven’t updated it since early December, now is the time to do it to foil attackers exploiting a critical command injection flaw (CVE-2022-46169).
About Cacti and CVE-2022-46169
Cacti is an open-source front-end app for RRDtool, a system for logging and graphing time series data, i.e., data from sensors and systems that is recorded / collected at regular intervals to create an evolving picture of what one wants to monitor (e.g., application performance, network data, user clicks, etc.).
Cacti is usually deployed to monitor network operations and resolve problems arising from things like hardware failure or loss of connectivity.
CVE-2022-46169 is a command injection vulnerability that “allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device.”
It was patched on December 5, 2022, and users were advised to ugrade to v1.2.23 and v1.3.0 to plug the hole.
Attackers exploiting CVE-2022-46169
Since then, SonarSource researchers have released technical details about the flaw and a PoC has been published on GitHub. Naturally, in-the-wild exploitation attempts followed.
According to Censys, there are 6,427 Cacti hosts exposed on the internet, though it’s difficult to tell how many are vulnerable.
“Cacti is not the only application used to monitor the health of a set of services or a network; there are many more examples. These types of monitoring tools are excellent targets for attackers. Given that these systems are, in many ways, asset inventory databases, they contain valuable information about the layout and architecture of a network. Since these systems often have some default (usually, at the least, read-only) level of access to entire organizations (monitoring) endpoints, compromising a host like this could be the first step to infiltrating everything,” Censys experts noted.
Aside from regularly updating these types od systems, users should also restrict access to them with firewall rules, VPN or VPC segmentation, and by enabling authentication, they added.
Admins of Cacti servers who have failed to do all that should check their installation for compromise.