Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Critical IP spoofing bug patched in Cacti

A dangerous bug in Cacti, the RRDTool frontend and performance/fault management framework, potentially allowed attackers to run arbitrary PHP commands on the server.

Cacti is a popular open-source network graphing, monitoring, and fault-management tool written in PHP. RRDTool stands for round-robin database tool.

While Cacti is not usually meant to be accessible from public networks, an attacker with network access to the server would be able to leverage the remote code execution (RCE) bug without authentication.

The flaw affects version 1.2.22 and has been patched in versions 1.2.23 and 1.3.0.

Flimsy safeguard

The vulnerability resides in a PHP file in Cacti that allows remote agents to run different actions on the server. The only safeguard this file offered was to check whether requests were coming from an authorized IP address. Unfortunately, however, IP addresses can be spoofed with the right configuration of HTTP headers.

This allows an attacker to gain access to the file’s commands without being authenticated into the Cacti application.

“The exploit is not that hard to execute if the attacker has access to a monitoring platform running Cacti,” Mark Brugnoli-Vinten, one of the maintainers of Cacti, told The Daily Swig.

“Most installations that I know of do not advertise themselves over the internet so the impact is mostly reduced to internal intrusions. If they have access to your internal network, there are larger problems at play, but this could be used by them.”

Command injection

One of the functions in the vulnerable file, called polldata, loads data from the backend database based on user-provided arguments. If the server is configured to allow PHP script actions, the attacker could use this command to execute arbitrary scripts on the server.

According to the advisory for the bug, this configuration is “very likely on a productive instance because this action is added by some predefined templates”.

Said Brugnoli-Vinten: “When exploited, it grants the attacker the ability to run commands under the same user that the website process is executing.”

But, he added, as long as your system “is secured using recommended safety/security procedures, such as AppArmour/SELinux or even separate user/group permissions, then the impact should be fairly limited”.

Secure PHP coding lessons

The bug was assigned a critical CVSS score of 9.8, which “is one of the reasons we published the advisory before the release was complete,” Brugnoli-Vinten said.

The team patched the vulnerability with the help of Stefan Schiller, security researcher at Sonar, who first reported the bug through GitHub’s advisory system.

The flaw held some lessons in secure PHP coding for the Cacti team.

Advertisement. Scroll to continue reading.

“In recent years, I’ve taken to saying that you should never trust the input from a user, make sure it’s validated. However, the same also applies to settings in the environment,” Brugnoli-Vinten explained.

“PHP, for example, provides a lot of information in the $_SERVER variable, and even experienced users of the language may not realize which entries are set by the system and which are provided by the browser. If it can come from the browser, it can be spoofed.”

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/critical-ip-spoofing-bug-patched-in-cacti

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Apache has resolved a vulnerability potentially exploitable to launch remote code execution (RCE) attacks using Kafka Connect. Announced on February 8, the critical vulnerability...

Cyber Security

Security analysis tool Binwalk itself poses a security risk to users running out-of-date versions due to a path traversal vulnerability that could lead to...

Cyber Security

A trio of authentication bypass bugs stemming from the use of hardcoded keys have been patched in popular enterprise analytics platform Yellowfin BI. After...

Cyber Security

Proof-of-concept exploit code will be released later this week for a critical vulnerability allowing remote code execution (RCE) without authentication in several VMware products....

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO