Cacti Monitoring Tool Spiked by Critical SQL Injection Vulnerability

  /     /     /  
Publicated : 23/11/2024   Category : security


Cacti Monitoring Tool Spiked by Critical SQL Injection Vulnerability


Attackers can exploit the issue to access all data in Cacti database; and, it enables RCE when chained with a previous vulnerability.



A critical vulnerability in the Cacti Web-based open source framework for monitoring network performance gives attackers a way to disclose Cactis entire database contents — presenting a prickly risk for organizations.
Thousands of websites use Cacti to collect network performance information such as that related to bandwidth utilization, CPU and memory usage, and disk I/O — from devices such as routers, switches, and servers. Organizations use the collected data to populate the Round Robin Database utility (RRDTool) so they can create graphic and visual metrics from it.
As such, it has reach into the entire IT footprint within an organization — offering invaluable reconnaissance opportunities for cyberattackers, as well as a pivot point to go deeper into the network.
Importantly, an attacker could also chain CVE-2023-51448 with another, previously disclosed Cacti vulnerability —
CVE-2023-49084
—to achieve remote code execution (RCE) on vulnerable systems.
The vulnerability, tracked as
CVE-2023-51448
, is present in Cacti version 1.2.25. Cacti has
released an updated version
of the software that addresses the bug.
The issue has to do with the app not properly sanitizing input data, thereby leaving the path open for what is known as a
blind SQL injection attack
. GitHub has assigned the vulnerability a severity rating of 8.8 out of a maximum possible 10 on the CVSS 3.1 scale and described it as an issue that requires an attacker to only have low privileges to exploit.
Matthew Hogg, a security researcher from Synopsys who
discovered the vulnerability
and reported it to the maintainers of Cacti last month, says an attacker would need an authenticated account with the Settling/Utilities privilege to exploit the flaw.
Finding systems running Cacti is trivial, as a malicious actor can use a service like Shodan to query for live systems, Hogg says. A malicious actor, using [Shodan], could automate their initial reconnaissance to find systems running vulnerable versions to focus their activities.
As of Monday morning, a Shodan search listed more than 4,000 Cacti hosts that are potentially running vulnerable versions of Cacti, he says.
According to Hogg, to trigger CVE-2023-51448, an authenticated attacker with Settings/Utilities privileges would need to send a specially crafted HTTP GET request with an SQL injection payload to the endpoint /managers.php.
Using a blind SQL technique, an attacker can disclose Cacti database contents or trigger remote code execution (RCE), Hogg says.
In a blind SQL injection attack, the attackers do not see the direct result of an injected SQL query. Instead, they need to try and infer it based on how the application might respond.
Blind is often used to describe SQL injection in which the results are not directly returned to the attacker but are inferred out-of-band using an oracle, Hogg says referring to external sources of information such as error messages and timing delays. In this case a time-based oracle can be used to check if some Boolean condition is met. The differential between response times is used to evaluate if the condition was met, which could, for example, be checking the value of a character the attacker wants to leak.
Blind SQL injection attacks are hard to pull off on a mass scale. However, an attacker with access to an account with the required privileges can exploit the vulnerability in Cacti with ease, Hogg notes. Blind SQL Injections are easy to execute, but difficult to exploit due to the nature of the attack vector.
However, referring to the potential for chaining the vulnerability with the aforementioned bug, the security researcher says: A competent attacker who satisfies the prerequisites for CVE-2023-49084 would be able to execute CVE-2023-51448 in a trivial manner.
The latest vulnerability is one of the several that researchers have reported in Cacti over the past year. One of the more serious among them is
CVE-2022-46169,
an unauthenticated command injection vulnerability disclosed last January for which exploit become publicly available a few months later. Another is
CVE-2023-39362
, a vulnerability disclosed in June for which exploits become publicly available in October.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Cacti Monitoring Tool Spiked by Critical SQL Injection Vulnerability