[Pkg-cacti-maint] Bug#1025648: cacti: CVE-2022-46169: Unauthenticated Command Injection

Salvatore Bonaccorso carnil at debian.org
Tue Dec 6 20:37:18 GMT 2022 

Source: cacti
Version: 1.2.22+ds1-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for cacti.

CVE-2022-46169[0]:
| Cacti is an open source platform which provides a robust and
| extensible operational monitoring and fault management framework for
| users. In affected versions a command injection vulnerability allows
| an unauthenticated user to execute arbitrary code on a server running
| Cacti, if a specific data source was selected for any monitored
| device. The vulnerability resides in the `remote_agent.php` file. This
| file can be accessed without authentication. This function retrieves
| the IP address of the client via `get_client_addr` and resolves this
| IP address to the corresponding hostname via `gethostbyaddr`. After
| this, it is verified that an entry within the `poller` table exists,
| where the hostname corresponds to the resolved hostname. If such an
| entry was found, the function returns `true` and the client is
| authorized. This authorization can be bypassed due to the
| implementation of the `get_client_addr` function. The function is
| defined in the file `lib/functions.php` and checks serval `$_SERVER`
| variables to determine the IP address of the client. The variables
| beginning with `HTTP_` can be arbitrarily set by an attacker. Since
| there is a default entry in the `poller` table with the hostname of
| the server running Cacti, an attacker can bypass the authentication
| e.g. by providing the header `Forwarded-For: <TARGETIP>`. This
| way the function `get_client_addr` returns the IP address of the
| server running Cacti. The following call to `gethostbyaddr` will
| resolve this IP address to the hostname of the server, which will pass
| the `poller` hostname check because of the default entry. After the
| authorization of the `remote_agent.php` file is bypassed, an attacker
| can trigger different actions. One of these actions is called
| `polldata`. The called function `poll_for_data` retrieves a few
| request parameters and loads the corresponding `poller_item` entries
| from the database. If the `action` of a `poller_item` equals
| `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to
| execute a PHP script. The attacker-controlled parameter `$poller_id`
| is retrieved via the function `get_nfilter_request_var`, which allows
| arbitrary strings. This variable is later inserted into the string
| passed to `proc_open`, which leads to a command injection
| vulnerability. By e.g. providing the `poller_id=;id` the `id` command
| is executed. In order to reach the vulnerable call, the attacker must
| provide a `host_id` and `local_data_id`, where the `action` of the
| corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both
| of these ids (`host_id` and `local_data_id`) can easily be
| bruteforced. The only requirement is that a `poller_item` with an
| `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a
| productive instance because this action is added by some predefined
| templates like `Device - Uptime` or `Device - Polling Time`. This
| command injection vulnerability allows an unauthenticated user to
| execute arbitrary commands if a `poller_item` with the `action` type
| `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization
| bypass should be prevented by not allowing an attacker to make
| `get_client_addr` (file `lib/functions.php`) return an arbitrary IP
| address. This could be done by not honoring the `HTTP_...` `$_SERVER`
| variables. If these should be kept for compatibility reasons it should
| at least be prevented to fake the IP address of the server running
| Cacti. This vulnerability has been addressed in both the 1.2.x and
| 1.3.x release branches with `1.2.23` being the first release
| containing the patch.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-46169
    https://www.cve.org/CVERecord?id=CVE-2022-46169
[1] https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the Pkg-cacti-maint mailing list