CVE-2022-46169: 
Cacti vulnerability analysis and mitigation

CVE-2022-46169 is a critical command injection vulnerability discovered in Cacti, an open-source network monitoring and graphing solution. The vulnerability, disclosed on December 5, 2022, allows an unauthenticated user to execute arbitrary code on a server running Cacti if a specific data source was selected for any monitored device. The vulnerability affects all Cacti installations up to and including version 1.2.22, with a CVSS score of 9.8 (GitHub Advisory, NVD).

The vulnerability resides in the remoteagent.php file, which can be accessed without authentication. The flaw stems from two main issues: an authentication bypass in the getclientaddr function and a command injection in the pollfordata function. The authentication bypass occurs because the getclientaddr function checks several $SERVER variables that can be manipulated by an attacker. The command injection vulnerability exists because the attacker-controlled parameter $pollerid is not properly sanitized before being passed to procopen function. An attacker can exploit this by providing specific headers and parameters to execute arbitrary commands (GitHub Advisory).

The vulnerability allows unauthenticated attackers to execute arbitrary commands on affected Cacti servers. This can lead to complete system compromise, as attackers can gain unauthorized access to sensitive information, modify system configurations, and potentially establish persistent access to the affected systems. The vulnerability is particularly severe because Cacti often contains valuable information about network architecture and has access to various network endpoints (Censys).

The vulnerability has been patched in Cacti versions 1.2.23 and 1.3.0. Organizations should immediately upgrade to these versions. The fix includes preventing the authorization bypass by restricting the getclientaddr function from accepting arbitrary IP addresses and implementing proper input validation for the poller_id parameter. Additionally, organizations should consider placing monitoring services behind a VPN or VPC segment and implementing proper IP filtering rules to restrict internet access to critical resources (GitHub Advisory).

The vulnerability initially went under the radar until January 2nd, 2023, when SonarSource released a detailed blog post about their findings. The security community has expressed significant concern about the vulnerability, particularly due to its high severity and the fact that many Cacti servers were found to be running outdated versions. Censys observed 6,427 hosts running Cacti, with most running vulnerable versions and only 26 hosts reported to be running patched versions (Censys).