Cacti vulnerable to command injection attack through URL manipulation
CVE-2024-29895

10CRITICAL

Key Information:

Vendor

Cacti

Status
Cacti
Vendor
CVE Published:
14 May 2024

Badges

πŸ“ˆ TrendedπŸ“ˆ Score: 11,500πŸ‘Ύ Exploit Exists🟑 Public PoC🟣 EPSS 92%πŸ“° News Worthy

What is CVE-2024-29895?

CVE-2024-29895 is a critical vulnerability affecting the Cacti software, which is an open-source network monitoring and management tool. This vulnerability allows unauthenticated users to exploit a command injection flaw, particularly when the register_argc_argv PHP option is enabled. By manipulating URLs, attackers can execute arbitrary commands on the server, posing a serious risk to organizations that rely on Cacti for operational monitoring. The default configuration of PHP in many environments, including popular Docker images, makes this vulnerability particularly concerning for users.

Technical Details

The vulnerability primarily resides in the cmd_realtime.php file within the Cacti application. Specifically, it involves the use of the $poller_id variable, which is derived from $_SERVER['argv']. Under certain conditions, such as when the register_argc_argv PHP option is enabled, an attacker can manipulate requests to execute malicious commands on the server. This situation is exacerbated by the fact that this option is typically turned on by default in many PHP installations, which increases the likelihood of exploitation in real-world environments.

Impact of the Vulnerability

  1. Unauthorized Command Execution: Attackers can execute arbitrary commands on the server without authentication, leading to unauthorized access and control over the system.

  2. Potential for Data Breaches: Given the elevated privileges granted through command execution, attackers may access sensitive data, potentially leading to significant breaches of confidentiality.

  3. Risk of Malware Deployment: The ability to run arbitrary commands can enable attackers to deploy malware or ransomware on the compromised server, compromising not just the initial system but potentially spreading to connected networks or devices.

Affected Version(s)

cacti = 1.3.x DEV

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-29895-CactiRCE-PoC
Created by Stuub

CVE-2024-29895
Created by Rubioo02

News Articles

favicon imagemeterpreter.org

Cacti Patches Critical Flaws: Urgent Update Needed for Network Security

CVE-2024-29895 (CVSS score 10.0): A command injection vulnerability that allows any unauthenticated user to execute arbitrary commands

References

https://github.com/Cacti/cacti/security/advisories/GHSA-c...
x_refsource_CONFIRM
https://github.com/Cacti/cacti/commit/53e8014d1f082034e06...
x_refsource_MISC
https://github.com/Cacti/cacti/commit/99633903cad0de5ace6...
x_refsource_MISC

EPSS Score

92% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 🟑

    Public PoC available

  • πŸ“ˆ

    Vulnerability started trending

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by meterpreter.org

  • Vulnerability published

  • Vulnerability Reserved

.