www.belgium.be Logo of the federal government

Warning: Cacti Has a Severe RCE Vulnerability, Patch Immediately!

Reference: 
Advisory #2024-66
Version: 
1.1
Affected software: 
Cacti 1.3.x DEV
All versions below 1.2.27
Type: 
Remote Code Execution (RCE)
CVE/CVSS: 

CVE-2024-29895: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2024-31459: CVSS N/A

CVE-2024-31445: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2024-25641: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Sources

https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m

Risks

Servers running Cacti are vulnerable to remote code execution (RCE) vulnerability.

Description

A security vulnerability has been identified in the cmd_realtime.php file within the Cacti software when the register_argc_argv is set to On. This vulnerability can be exploited remotely using the Cacti web interface, allowing an attacker to execute arbitrary commands on the Cacti server. By leveraging these commands, the attacker could potentially download and execute additional code, gaining full control over the server.

The attack’s complexity is low, which means that an attacker only requires basic skills to successfully carry it out.

Cacti is commonly used for monitoring other systems, which means that compromising the Cacti server could also grant the attacker access to other networked systems and services.

UPDATE 2024-05-16: Cacti developers also patched three vulnerabilities in all versions below 1.2.27:
 
CVE-2024-31459 (CVSS N/A) is a high severity vulnerability due to a file inclusion issue in the lib/plugin.php file.  When combined with SQL injection vulnerabilities, users can implement remote code execution.
 
CVE-2024-31445 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) is a high (8.8) SQL Injection vulnerability in the automation_get_new_graphs_sql function of api_automation.php which could allow authenticated users to perform privilege escalation and remote code execution.
 
CVE-2024-25641 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) is a critical (9.1) arbitrary file write vulnerability which could allow authenticated users with the "Import Templates" permission to execute arbitrary PHP code on the web server.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends:

  • to update the Cacti software as soon as possible to the latest version of 1.3.x DEV;
  • to make sure that the web interface is only exposed on trusted networks.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise. Check the webserver’s access logs for untrusted IP addresses that might have accessed the file cmd_realtime.php and check for suspicious or unexpected activity performed by the user ID that runs the Cacti software.

References

https://github.com/Cacti/cacti

https://github.com/LioTree