Cachet is a program that allows users to perform tasks such as list service components, report issues, and customize the appearance of their status page, among other things.
Researchers have warned that numerous security holes in Cachet’s open-source status page system can allow an attacker to execute arbitrary code and steal sensitive data.
However, three program vulnerabilities discovered by SonarSource researchers can expose users to remote access.
The first vulnerability (CVE-2021-39172) is a newline injection that occurs when users change an instance’s configuration, such as mail settings.
It gives attackers the ability to insert new directives and modify the behavior of essential features, allowing them to execute arbitrary code.
This feature also has a second vulnerability (CVE-2021-39174), which allows attackers to exfiltrate secrets saved in the configuration file, such as database passwords and framework keys.
The latest flaw according to experts (CVE-2021-39173) allows an attacker to modify the installation process even if the target instance is already fully configured.
The researchers said, “In this way, attackers can trick the Cachet instance into using an arbitrary database under their control, ultimately leading to the execution of arbitrary code.”
The success of the vulnerabilities depends on the attacker’s access to a user account with basic rights.
This, according to SonarSource, is easy to achieve either by stuffing credentials, “Thanks to the large number of accounts disclosed each year, to a compromised or malicious user, to the presence of cross-site scripting (XSS) vulnerabilities on the same perimeter or by exploiting a pre-authenticated SQL injection (CVE-2021-39165) in Cachet, which was set in January 2021 ”.
“Once the prerequisites are met, for example by exploiting vulnerabilities such as CVE-2021-39165 or accessing a user account with any level of privilege, our results are very easy to exploit.
“They only require one request, and it can be easily automated,” said Thomas Chauchefoin.
The flaws have now been corrected, but Chauchefoin told The Daily Swig that the disclosure process was not without difficulties.
During the 90-day disclosure period, Chauchefoin claimed, the team attempted but failed to contact those responsible. “The upstream project seems abandoned,” he added.
“Rather than immediately disclosing the details to the public, we contacted the most active community fork (maintained by UK company FiveAI) and suggested fixes.
“They merged it and quickly released a new version.”