Cacti Crisis Averted: Critical Patches Released for Network Monitoring Mayhem!

Cacti’s latest patch tackles a prickly problem—plugging a dozen security holes, with two critical ones that could let hackers run wild. Update your thorns, folks! #CactiPatchDay 🌵💻🔒

Hot Take:

Looks like Cacti got a little prickly with a bouquet of security flaws, including a couple of those ‘rare’ critical ones that let the cyber bad guys play puppet master with your servers. Time to put on your gardening gloves and pluck those vulnerabilities before your network monitoring turns into a network mourning. And remember, when your software has more patches than a pirate convention, it’s update o’clock!

Key Points:

  • Cacti’s been hit with a dirty dozen of security flaws—two critical ones are especially thorny, with CVSS scores higher than your average high jumper.
  • CVE-2024-25641 lets template-importing users write their own PHP script into your server’s bedtime story. Spoiler: It doesn’t end well.
  • The unauthenticated Oscar goes to CVE-2024-29895, which turns on the command line limelight when ‘registerargcargv’ forgets to be off.
  • Two high-severity party crashers, CVE-2024-31445 and CVE-2024-31459, also RSVP’d yes to the code execution gala via SQL injections and file inclusions.
  • Get your Cacti to version 1.2.27 for a less prickly experience, and keep an eye on those proof-of-concept gate crashers on GitHub.
Title: Unauthenticated Command Injection
Cve id: CVE-2022-46169
Cve state: PUBLISHED
Cve assigner short name: GitHub_M
Cve date updated: 12/05/2022
Cve description: Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the client is authorized. This authorization can be bypassed due to the implementation of the `get_client_addr` function. The function is defined in the file `lib/functions.php` and checks serval `$_SERVER` variables to determine the IP address of the client. The variables beginning with `HTTP_` can be arbitrarily set by an attacker. Since there is a default entry in the `poller` table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header `Forwarded-For: <TARGETIP>`. This way the function `get_client_addr` returns the IP address of the server running Cacti. The following call to `gethostbyaddr` will resolve this IP address to the hostname of the server, which will pass the `poller` hostname check because of the default entry. After the authorization of the `remote_agent.php` file is bypassed, an attacker can trigger different actions. One of these actions is called `polldata`. The called function `poll_for_data` retrieves a few request parameters and loads the corresponding `poller_item` entries from the database. If the `action` of a `poller_item` equals `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to execute a PHP script. The attacker-controlled parameter `$poller_id` is retrieved via the function `get_nfilter_request_var`, which allows arbitrary strings. This variable is later inserted into the string passed to `proc_open`, which leads to a command injection vulnerability. By e.g. providing the `poller_id=;id` the `id` command is executed. In order to reach the vulnerable call, the attacker must provide a `host_id` and `local_data_id`, where the `action` of the corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both of these ids (`host_id` and `local_data_id`) can easily be bruteforced. The only requirement is that a `poller_item` with an `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a productive instance because this action is added by some predefined templates like `Device - Uptime` or `Device - Polling Time`. This command injection vulnerability allows an unauthenticated user to execute arbitrary commands if a `poller_item` with the `action` type `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization bypass should be prevented by not allowing an attacker to make `get_client_addr` (file `lib/functions.php`) return an arbitrary IP address. This could be done by not honoring the `HTTP_...` `$_SERVER` variables. If these should be kept for compatibility reasons it should at least be prevented to fake the IP address of the server running Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with `1.2.23` being the first release containing the patch.

Title: Unauthenticated Command Injection
Cve id: CVE-2022-46169
Cve state: PUBLISHED
Cve assigner short name: GitHub_M
Cve date updated: 12/05/2022
Cve description: Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the client is authorized. This authorization can be bypassed due to the implementation of the `get_client_addr` function. The function is defined in the file `lib/functions.php` and checks serval `$_SERVER` variables to determine the IP address of the client. The variables beginning with `HTTP_` can be arbitrarily set by an attacker. Since there is a default entry in the `poller` table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header `Forwarded-For: <TARGETIP>`. This way the function `get_client_addr` returns the IP address of the server running Cacti. The following call to `gethostbyaddr` will resolve this IP address to the hostname of the server, which will pass the `poller` hostname check because of the default entry. After the authorization of the `remote_agent.php` file is bypassed, an attacker can trigger different actions. One of these actions is called `polldata`. The called function `poll_for_data` retrieves a few request parameters and loads the corresponding `poller_item` entries from the database. If the `action` of a `poller_item` equals `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to execute a PHP script. The attacker-controlled parameter `$poller_id` is retrieved via the function `get_nfilter_request_var`, which allows arbitrary strings. This variable is later inserted into the string passed to `proc_open`, which leads to a command injection vulnerability. By e.g. providing the `poller_id=;id` the `id` command is executed. In order to reach the vulnerable call, the attacker must provide a `host_id` and `local_data_id`, where the `action` of the corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both of these ids (`host_id` and `local_data_id`) can easily be bruteforced. The only requirement is that a `poller_item` with an `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a productive instance because this action is added by some predefined templates like `Device - Uptime` or `Device - Polling Time`. This command injection vulnerability allows an unauthenticated user to execute arbitrary commands if a `poller_item` with the `action` type `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization bypass should be prevented by not allowing an attacker to make `get_client_addr` (file `lib/functions.php`) return an arbitrary IP address. This could be done by not honoring the `HTTP_...` `$_SERVER` variables. If these should be kept for compatibility reasons it should at least be prevented to fake the IP address of the server running Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with `1.2.23` being the first release containing the patch.

Title: Cacti RCE vulnerability when importing packages
Cve id: CVE-2024-25641
Cve state: PUBLISHED
Cve assigner short name: GitHub_M
Cve date updated: 05/13/2024
Cve description: Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue.

Title: Cacti RCE vulnerability when importing packages
Cve id: CVE-2024-25641
Cve state: PUBLISHED
Cve assigner short name: GitHub_M
Cve date updated: 05/13/2024
Cve description: Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue.

Title: SQL Injection vulnerability in automation_get_new_graphs_sql
Cve id: CVE-2024-31445
Cve state: PUBLISHED
Cve assigner short name: GitHub_M
Cve date updated: 05/13/2024
Cve description: Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In `api_automation.php` line 856, the `get_request_var('filter')` is being concatenated into the SQL statement without any sanitization. In `api_automation.php` line 717, The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no filter for it. Version 1.2.27 contains a patch for the issue.

Title: SQL Injection vulnerability in automation_get_new_graphs_sql
Cve id: CVE-2024-31445
Cve state: PUBLISHED
Cve assigner short name: GitHub_M
Cve date updated: 05/13/2024
Cve description: Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In `api_automation.php` line 856, the `get_request_var('filter')` is being concatenated into the SQL statement without any sanitization. In `api_automation.php` line 717, The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no filter for it. Version 1.2.27 contains a patch for the issue.

Title: Cacti RCE vulnerability by file include in lib/plugin.php
Cve id: CVE-2024-31459
Cve state: PUBLISHED
Cve assigner short name: GitHub_M
Cve date updated: 05/13/2024
Cve description: Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue with the `api_plugin_hook()` function in the `lib/plugin.php` file, which reads the plugin_hooks and plugin_config tables in database. The read data is directly used to concatenate the file path which is used for file inclusion. Version 1.2.27 contains a patch for the issue.

Title: Cacti RCE vulnerability by file include in lib/plugin.php
Cve id: CVE-2024-31459
Cve state: PUBLISHED
Cve assigner short name: GitHub_M
Cve date updated: 05/13/2024
Cve description: Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue with the `api_plugin_hook()` function in the `lib/plugin.php` file, which reads the plugin_hooks and plugin_config tables in database. The read data is directly used to concatenate the file path which is used for file inclusion. Version 1.2.27 contains a patch for the issue.

Title: Unauthenticated SQL Injection in graph_view.php in Cacti
Cve id: CVE-2023-39361
Cve state: PUBLISHED
Cve assigner short name: GitHub_M
Cve date updated: 09/05/2023
Cve description: Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an enabled state, there could be the potential for significant damage. Attackers may exploit this vulnerability, and there may be possibilities for actions such as the usurpation of administrative privileges or remote code execution. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Title: Unauthenticated SQL Injection in graph_view.php in Cacti
Cve id: CVE-2023-39361
Cve state: PUBLISHED
Cve assigner short name: GitHub_M
Cve date updated: 09/05/2023
Cve description: Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an enabled state, there could be the potential for significant damage. Attackers may exploit this vulnerability, and there may be possibilities for actions such as the usurpation of administrative privileges or remote code execution. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Title: Cacti command injection in cmd_realtime.php
Cve id: CVE-2024-29895
Cve state: PUBLISHED
Cve assigner short name: GitHub_M
Cve date updated: 05/13/2024
Cve description: Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc.

Title: Cacti command injection in cmd_realtime.php
Cve id: CVE-2024-29895
Cve state: PUBLISHED
Cve assigner short name: GitHub_M
Cve date updated: 05/13/2024
Cve description: Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc.

Title: Cacti XSS vulnerability in display_settings
Cve id: CVE-2024-30268
Cve state: PUBLISHED
Cve assigner short name: GitHub_M
Cve date updated: 05/13/2024
Cve description: Cacti provides an operational monitoring and fault management framework. A reflected cross-site scripting vulnerability on the 1.3.x DEV branch allows attackers to obtain cookies of administrator and other users and fake their login using obtained cookies. This issue is fixed in commit a38b9046e9772612fda847b46308f9391a49891e.

Title: Cacti XSS vulnerability in display_settings
Cve id: CVE-2024-30268
Cve state: PUBLISHED
Cve assigner short name: GitHub_M
Cve date updated: 05/13/2024
Cve description: Cacti provides an operational monitoring and fault management framework. A reflected cross-site scripting vulnerability on the 1.3.x DEV branch allows attackers to obtain cookies of administrator and other users and fake their login using obtained cookies. This issue is fixed in commit a38b9046e9772612fda847b46308f9391a49891e.

Need to know more?

The Cacti Patch-athlon

It's been a marathon for the Cacti devs, who've been sprinting to fix a medley of mishaps. Ten of these security slip-ups are VIPs (Very Important Patches) for all versions up to 1.2.26. If you're nurturing one of these versions in your digital greenhouse, it's time for an upgrade to the fresh and fortified 1.2.27. As for the two outliers, they're like the eccentric uncles of the family, affecting only the 1.3.x dev versions. Keep your eyes peeled and your software fresh!

A Flashback of Flaws

Let's take a stroll down vulnerability lane, shall we? Eight months ago, Cacti had a bit of an existential crisis with a critical SQL injection vulnerability that made everyone question the nature of their database reality. And just when you thought it was safe to go back into the server room, early 2023 came swinging with another critical flaw that turned Cacti servers into a playground for digital delinquents wielding botnet malware like MooBot and ShellBot. Moral of the story? Server security isn't a spectator sport.

Update or Bust

With the PoCs out in the wild like a digital Jumanji, the time for procrastination has passed. It's a jungle out there, and you better be sure your Cacti instance is updated faster than you can say "remote code execution." The GitHub advisories are practically screaming "Update now!" in neon letters. So grab that update, and let's turn those potential threats into 'not on my network' anecdotes.

Concluding with a Cact-Usual Reminder

Remember, folks, in the grand circus of cybersecurity, the tightrope is high, and the safety net is made of patches and updates. Don't be that act that takes a dive because you ignored the warning signs. Keep your Cacti patched, your servers secure, and your network monitoring more peaceful than a Zen garden. And always, always keep an eye out for those PoCs—they're more than just a proof of concept; they're a prelude to cyber chaos if left unchecked.

Tags: Cacti framework, critical vulnerabilities, network monitoring, Remote Code Execution, Software Patching, SQL Injection, vulnerability management