CVE-2024-29895 Scanner
CVE-2024-29895 Scanner - Command Injection vulnerability in Cacti
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
19 days 5 hours
Scan only one
URL
Toolbox
-
Cacti is a software platform that provides operational monitoring and fault management, primarily used by IT administrators and network engineers to effectively monitor and maintain the health of infrastructure systems. It is favored for its graphing functionality, presenting data on network performance metrics in a visual format, and is highly customizable to fit the diverse needs of different network environments. Organizations of varying sizes rely on Cacti for ensuring that their systems are running efficiently and any performance issues are promptly identified and resolved. Used globally within datacenters and large corporate environments, the software supports an array of data sources, from network routers to application servers, allowing for comprehensive monitoring coverage. The flexibility and open-source nature of Cacti make it accessible for continual improvements and adaptations by its widespread community of users and developers.
The command injection vulnerability found in Cacti, specifically in the 1.3.x DEV branch, allows unauthorized users to inject and execute arbitrary commands on the hosting server, representing a critical security risk. This vulnerability is leveraged through a flaw where the `$poller_id` in the `cmd_realtime.php` is taken from `$_SERVER['argv']` enabling manipulation via URL when the `register_argc_argv` setting in PHP is `On`. Default configurations, such as those found in PHP Docker images, often have this setting enabled, increasing the susceptibility to exploitation. Successful exploitation can result in unauthorized access, data alteration, or further compromise of the affected server. Implementation errors, combined with inactive security measures, could lead to severe network breaches or data exposure.
Technically, this vulnerability targets the `cmd_realtime.php` file in Cacti where the `$poller_id` parameter is vulnerable, allowing execution of injected commands. This vector relies heavily on the presence of the `register_argc_argv` setting being enabled, which is typical in many PHP deployments. The issue arises from unsanitized input processed by the PHP server, where the URL parameters craft the payload that eventually reaches command execution contexts. It provides an entry point for cyber attackers, enabling the potential for lateral movement within the network post-compromise. Developers and system administrators often overlook these settings, contributing to the persistence of such vulnerabilities in the production environment. Efficient patching and parameter validation are crucial to mitigate this security risk.
If exploited, this vulnerability could lead to severe damaging outcomes such as unauthorized command execution, complete compromise of the affected machine, potential pivoting to other network segments, or data manipulation. It poses a high risk of data exposure, loss or theft, unauthorized changes, and full administrative control over the compromised system by an attacker. This capability may further result in the disruption of services, risk of data corruption, and erosion of trust in the system's integrity among users and stakeholders. A successful attack could also lead to an organization's legal and financial liabilities due to potential breaches of data protection regulations.
REFERENCES
- https://github.com/Stuub/CVE-2024-29895-CactiRCE-PoC
- https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119
- https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d
- https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc
- https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m