Security Vulnerabilities In Cacti Framework Allow Execution Of Malicious Code

Security Vulnerabilities In Cacti Framework Allow Execution Of Malicious Code

Published on May 16th, 2024

Cacti, a widely used open-source network monitoring tool, recently addressed critical security vulnerabilities that could allow attackers to execute malicious code on affected systems.

This article details the identified flaws, their severity, and the recommended mitigation steps.

Urgent Update Needed: Cacti Users Face Remote Code Execution Risk

The Cacti development team patched a dozen security weaknesses, including two critical vulnerabilities (CVE-2024-25641 and CVE-2024-29895) that grant remote code execution (RCE) capabilities to attackers.

  • CVE-2024-25641 (CVSS score: 9.1) exploits an arbitrary file write vulnerability within the “Package Import” feature. An attacker with authenticated access and “Import Templates” permission can leverage this flaw to inject and execute malicious PHP code on the web server, achieving complete control.
  • CVE-2024-29895 (CVSS score: 10.0) exposes a command injection vulnerability. Any unauthenticated attacker can potentially execute arbitrary commands on the underlying server if the PHP option “register_argc_argv” is enabled. This can lead to complete system compromise.

These vulnerabilities highlight the critical importance of maintaining software with timely security updates.

With public proof-of-concept exploits available, attackers can readily exploit these weaknesses.

Upgrading Cacti to version 1.2.27, released on May 13, 2024, is essential to mitigate these risks.

Additional High-Severity Flaws Addressed

Beyond the critical RCE vulnerabilities, Cacti resolved two other high-severity flaws that could lead to code execution:

  • CVE-2024-31445 (CVSS score: 8.8) – An SQL injection vulnerability residing in “api_automation.php” empowers authenticated users to escalate privileges and execute malicious code remotely.
  • CVE-2024-31459 (CVSS score: N/A) – A file inclusion vulnerability within “lib/plugin.php” can be chained with SQL injection flaws to achieve remote code execution.

It’s crucial to note that ten out of the twelve vulnerabilities patched impact all Cacti versions before 1.2.26. Upgrading to the latest version safeguards your systems.

Cacti Users: Take Action Now

Here are the recommended steps for Cacti users:

  1. Update Immediately: Patch your Cacti installation to version 1.2.27 as soon as possible.
  2. Verify Permissions: Review user access controls and ensure only authorized users possess “Import Templates” permissions.
  3. Disable Unnecessary PHP Options: If not actively required, consider disabling the “register_argc_argv” option in your PHP configuration to mitigate the impact of CVE-2024-29895.
  4. Stay Informed: Regularly monitor security advisories from the Cacti project to remain updated on future vulnerabilities.

By following these steps, Cacti users can significantly reduce their exposure to these critical security risks.