Cachet is a program that allows users to perform things like list service components, report issues, and customizes their status page’s appearance, among other things.
Researchers have cautioned that many security flaws in the open-source Cachet status page system may allow an attacker to run arbitrary code and steal sensitive data.
However, three vulnerabilities in the programme uncovered by SonarSource researchers may expose users to remote access.
The first vulnerability (CVE-2021-39172) is a newline injection that occurs when users change the configuration of an instance, such as the email settings.
It gives attackers the ability to insert new directives and change the behavior of essential functionalities, allowing them to run arbitrary code.
This functionality also has a second vulnerability (CVE-2021-39174), which allows attackers to exfiltrate secrets saved in the configuration file, such as database passwords and framework keys.
The last flaw according to the experts (CVE-2021-39173) allows an attacker to alter the setup process even if the target instance is already completely configured.
The researchers said, “That way, attackers can trick the Cachet instance into using an arbitrary database under their control, ultimately leading to arbitrary code execution.”
The success of the vulnerabilities is conditional on the attacker having access to a user account with basic rights.
This, according to SonarSource, is easy to obtain either through credentials stuffing, “thanks to the significant amount of accounts leaked every year, a compromised or malicious user, the presence of cross-site scripting (XSS) vulnerability on the same perimeter or by exploiting a pre-authenticated SQL injection (CVE-2021-39165) in Cachet, which was fixed in January 2021”.
“Once the prerequisites are met, e.g by exploiting vulnerabilities like CVE-2021-39165 or getting access to a user account with any level of privileges, our findings are very straightforward to exploit.
“They only require one request, and this can be easily automated,” Thomas Chauchefoin said.
The flaws have now been addressed, but Chauchefoin told The Daily Swig that the disclosure procedure was not without its difficulties.
During the 90-day disclosure period, Chauchefoin claimed, the team attempted but failed to contact the maintainers. “The upstream project appears to be abandoned,” he added.
“Rather than immediately disclosing the details to the public, we reached out to the most active community fork (maintained by the UK company FiveAI) and suggested patches.
“They merged it and quickly published a new release.”