The version of cacti installed on the remote host is prior to 1.1.19-2.20. It is, therefore, affected by a vulnerability as referenced in the ALAS-2023-1675 advisory.

    A flaw was found in how Cacti grants authorization based on IP address which allows authentication bypass,     and possibly arbitrary command execution if a poller_item configured with a POLLER_ACTION_SCRIPT_PHP     action is present.

    This updated cacti package adds a feature allowing an administrator to explicitly list headers suitable     for use in client authentication. This option is not currently enabled by default in order to preserve     compatibility but may be set by default in a future release. This is consistent with the latest upstream     cacti releases (1.2.23 and 1.3.0). Additional details can be found here:
    https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf

    In order to mitigate the authentication bypass customers must set the new $proxy_headers configuration     option in /etc/cacti/db.php appropriately for their environment by either setting it to false or an array     of the headers for cacti to trust.

    Additionally, customers are strongly recommended to:

    1. Consider using user authentication via a reverse proxy front end like httpd or nginx2. Cacti     administrators should configure the client-facing web server or reverse proxy to strip any trusted headers     provided by untrusted sources, to prevent them from reaching the Cacti server and being used to bypass the     authentication process.



Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Detections

Analytics

Amazon Linux AMI : cacti (ALAS-2023-1675)

critical Nessus Plugin ID 170545

Version 1.4

Version 1.3

Version 1.2

Version 1.1

Version 1.0

Version 1.4 Dec 11, 2024, 10:15 PM CVSS metrics ("Cvssv4 score" set to 0.0) CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:F/RL:OF/RC:C") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:F/RL:O/RC:C") CVSSv2 severity (based on None, severity decreased from "High" to "Low") Detection (updated detection logic) Plugin metadata Plugin Feed: 202412112215
Version 1.3 Sep 6, 2023, 2:11 PM Exploit attributes ("Exploit framework core" set to "True") Plugin Feed: 202309061411
Version 1.2 Feb 16, 2023, 8:21 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:H/RL:OF/RC:C". "CVSSv2 temporal vector" set to "CVSS2#E:H/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:H/RL:O/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:H/RL:O/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:H/RL:O/RC:C") CISA reference Plugin Feed: 202302162021
Version 1.1 Jan 26, 2023, 2:58 AM Exploit attributes ("Exploit framework metasploit" set to "True") Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202301260258
Version 1.0 Jan 25, 2023, 4:20 AM New Plugin Feed: 202301250420