A critical vulnerability in the Cacti Web-based open source framework for monitoring network performance gives attackers a way to disclose Cacti's entire database contents - presenting a prickly risk for organizations.
Thousands of websites use Cacti to collect network performance information such as that related to bandwidth utilization, CPU and memory usage, and disk I/O - from devices such as routers, switches, and servers.
Organizations use the collected data to populate the Round Robin Database utility so they can create graphic and visual metrics from it.
It has reach into the entire IT footprint within an organization - offering invaluable reconnaissance opportunities for cyberattackers, as well as a pivot point to go deeper into the network.
Importantly, an attacker could also chain CVE-2023-51448 with another, previously disclosed Cacti vulnerability - CVE-2023-49084 -to achieve remote code execution on vulnerable systems.
CVE-2023-51448 in Cacti: Insufficient Sanitization The vulnerability, tracked as CVE-2023-51448, is present in Cacti version 1.2.25.
Cacti has released an updated version of the software that addresses the bug.
The issue has to do with the app not properly sanitizing input data, thereby leaving the path open for what is known as a blind SQL injection attack.
GitHub has assigned the vulnerability a severity rating of 8.8 out of a maximum possible 10 on the CVSS 3.1 scale and described it as an issue that requires an attacker to only have low privileges to exploit.
As of Monday morning, a Shodan search listed more than 4,000 Cacti hosts that are potentially running vulnerable versions of Cacti, he says.
According to Hogg, to trigger CVE-2023-51448, an authenticated attacker with Settings/Utilities privileges would need to send a specially crafted HTTP GET request with an SQL injection payload to the endpoint '/managers.
Blind SQL Means Mass Attacks Unlikely, Still a Thorny Issue In a blind SQL injection attack, the attackers do not see the direct result of an injected SQL query.
Instead, they need to try and infer it based on how the application might respond.
Blind SQL injection attacks are hard to pull off on a mass scale.
An attacker with access to an account with the required privileges can exploit the vulnerability in Cacti with ease, Hogg notes.
The latest vulnerability is one of the several that researchers have reported in Cacti over the past year.
One of the more serious among them is CVE-2022-46169, an unauthenticated command injection vulnerability disclosed last January for which exploit become publicly available a few months later.
Another is CVE-2023-39362, a vulnerability disclosed in June for which exploits become publicly available in October.
This Cyber News was published on www.darkreading.com. Publication date: Mon, 08 Jan 2024 23:05:04 +0000