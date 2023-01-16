Most of servers of Cacti Servers exposed on the Internet have not been patched against a serious, but recently patched, security vulnerability that has been actively exploited by malicious actors.

Censys, a platform used to monitor cyber attacks has detected that only 26 servers out of a total of 6,427 were running a release patched of Cacti (1.2.23 and 1.3.0).

First, what exactly is a Cacti Server?

The Cacti project was first started by Ian Berry on 2 September 2001.

Berry was inspired to start the project while working for a small ISP while still in high school, learning PHP and MySQL; the central goal of him in the creation of Cacti “was to offer more ease of use than RRDtool and more flexibility than MRTG“.

Cacti is basically just a program that runs on Linux distributions , on Windows and other platforms used to be installed to monitor how the servers are doing.

It reads from English Wikipedia: “Cacti is an open source, Web-based network graphing and monitoring tool designed as a front-end application for the industry-standard open source data logging tool RRDtool.”

Wikipedia then adds: “Cacti allows a user to query services at set intervals and graph the resulting data. It is typically used to graph time-series data of metrics such as CPU load and network bandwidth utilization. A common usage is to monitor network traffic by polling a network switch or router interface using Simple Network Management Protocol (SNMP)“.

Here is a brief explanation of what a “Cacti Server” is, essentially servers monitored by this particular Linux distribution, which take the name of “Cacti Server” or “Cacti Server” depending on the language used.

What problems did the servers of the Cacti Servers have?

The problem in question concerns CVE-2022-46169 (CVSS score: 9.8), a combination of authentication bypass and malicious code injection that allows an unauthenticated user to execute malicious code on an affected version of open source web-based software.

Details about the vulnerability, affecting versions 1.2.22 and earlier, were first disclosed by SonarSource and the flaw was subsequently reported to project maintainers on December 2, 2022.

“An authorization check based on hostname is not implemented securely for most Cacti installations“, has made knownearlier this month, SonarSource researcher Stefan Schiller, adding that “incorrect user input is propagated to a string used to execute an external command [quindi codice malevolo]“.

Public disclosure of the vulnerability has also led to “exploitation attempts”, therefore, some companies, among them Shadowserver Foundation And GreyNoise warned users of malicious attacks originating from an IP address that was found to be based in Ukraine.

The majority of unpatched Cacti Server releases (1,320) are located in Brazil, closely followed by Indonesia, the United States, China, Bangladesh, Russia, Ukraine, the Philippines, Thailand, and the United Kingdom.

SugarCRM Flaw actively exploited to eliminate web shells

A development comes when SugarCRM mandated some fixes for a publicly disclosed vulnerability that was also actively weaponized to bring down a PHP-based web shell on 354 unique hosts, has said Censys in an independent notice.

The bug, marked as CVE-2023-22952concerns a case of missing input validation which could lead to malicious PHP code injection, however this has been fixed in SugarCRM 11.0.5 and 12.0.2 versions.

It’s not uncommon for malicious malware actors to exploit newly revealed vulnerabilities to carry out their own attacks, making it imperative that users move quickly to plug security holes.