CVE-2022-46169

Name of the Vulnerable Software and Affected Versions Cacti versions prior to 1.2.23

Description A command injection vulnerability in Cacti allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the remote agent.php file, which can be accessed without authentication. An attacker can bypass the authentication by providing a header Forwarded-For: <TARGETIP>, allowing the function get client addr to return the IP address of the server running Cacti. The attacker can then trigger different actions, including the polldata action, which retrieves request parameters and loads corresponding poller item entries from the database. If the action of a poller item equals POLLER ACTION SCRIPT PHP, the function proc open is used to execute a PHP script, leading to a command injection vulnerability. The attacker-controlled parameter $poller id can be used to execute arbitrary commands.

Recommendations To resolve the issue, update to version 1.2.23 or later. As a temporary workaround, consider restricting access to the remote agent.php file and the poll for data function to prevent unauthorized access. Additionally, restrict the use of the proc open function to prevent command injection attacks. Avoid using the get client addr function to determine the IP address of the client, as it can be bypassed by an attacker. Instead, use a more secure method to authenticate clients and authorize access to the remote agent.php file.