CVE-2020-7237
published 2020-01-20CVE-2020-7237: Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS…
PriorityP270high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
36.82%
98.3th percentile
Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Settings of the product.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cacti | cacti | — | — |
| cacti | cacti | >= 0 < 1.2.9+ds1-1 | 1.2.9+ds1-1 |
| cacti | cacti | >= 0 < 1.2.9+ds1-1 | 1.2.9+ds1-1 |
| cacti | cacti | >= 0 < 1.2.9+ds1-1 | 1.2.9+ds1-1 |
| cacti | cacti | >= 0 < 1.2.9+ds1-1 | 1.2.9+ds1-1 |
| debian | cacti | < cacti 1.2.9+ds1-1 (bookworm) | cacti 1.2.9+ds1-1 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for shell metacharacter injection in the 'Performance Boost Debug Log' field of Cacti's poller_automation.php, which triggers OS command execution at the start of a new poller cycle. ↗
- →Exploitation requires an authenticated session with privileges to modify Performance Settings; alert on privileged configuration changes to Cacti Performance Boost settings. ↗
- →External PoC/exploit details published at https://ctrsec.io/index.php/2020/01/25/cve-2020-7237-remote-code-execution-in-cacti-rrdtool/ — review for additional attack patterns. ↗
- ·Vulnerability only affects Cacti 1.2.8; fixed in 1.2.9. Verify the installed Cacti version before triaging alerts. ↗
- ·OS commands execute at the start of a new poller cycle, not immediately upon saving the malicious log path — detection must account for this delayed execution window. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv8.8HIGH
vendor_debian8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4wfp-xfpc-fxcp: Cacti 1
ghsa_unreviewed·2022-05-24
CVE-2020-7237 [HIGH] GHSA-4wfp-xfpc-fxcp: Cacti 1
Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Settings of the product.
OSV
CVE-2020-7237: Cacti 1
osv·2020-01-20·CVSS 8.8
CVE-2020-7237 [HIGH] CVE-2020-7237: Cacti 1
Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Settings of the product.
Debian
CVE-2020-7237: cacti - Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacha...
vendor_debian·2020·CVSS 8.8
CVE-2020-7237 [HIGH] CVE-2020-7237: cacti - Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacha...
Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Settings of the product.
Scope: local
bookworm: resolved (fixed in 1.2.9+ds1-1)
bullseye: resolved (fixed in 1.2.9+ds1-1)
forky: resolved (fixed in 1.2.9+ds1-1)
sid: resolved (fixed in 1.2.9+ds1-1)
trixie: resolved (fixed in 1.2.9+ds1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-7237 cacti: remote code execution due to input validation in Performance Boost Debug Log
bugzilla·2020-02-04·CVSS 8.8
CVE-2020-7237 [HIGH] CVE-2020-7237 cacti: remote code execution due to input validation in Performance Boost Debug Log
CVE-2020-7237 cacti: remote code execution due to input validation in Performance Boost Debug Log
Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Settings of the product.
References:
https://github.com/Cacti/cacti/issues/3201
https://ctrsec.io/index.php/2020/01/25/cve-2020-7237-remote-code-execution-in-cacti-rrdtool/
Discussion:
Created cacti tracking bugs for this issue:
Affects: epel-all [bug 1798189]
Affects: fedora-all [bug 1798188]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a
Bugzilla
CVE-2020-7237 cacti: remote code execution due to input validation in Performance Boost Debug Log [fedora-all]
bugzilla·2020-02-04·CVSS 8.8
CVE-2020-7237 [HIGH] CVE-2020-7237 cacti: remote code execution due to input validation in Performance Boost Debug Log [fedora-all]
CVE-2020-7237 cacti: remote code execution due to input validation in Performance Boost Debug Log [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue af
Bugzilla
CVE-2020-7237 cacti: remote code execution due to input validation in Performance Boost Debug Log [epel-all]
bugzilla·2020-02-04·CVSS 8.8
CVE-2020-7237 [HIGH] CVE-2020-7237 cacti: remote code execution due to input validation in Performance Boost Debug Log [epel-all]
CVE-2020-7237 cacti: remote code execution due to input validation in Performance Boost Debug Log [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affect
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.htmlhttps://ctrsec.io/index.php/2020/01/25/cve-2020-7237-remote-code-execution-in-cacti-rrdtool/https://github.com/Cacti/cacti/issues/3201https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SUSOTOIEJKD2IWJHN7TY56TDZJQZJUVJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XLZAMGTW2OSIBLYLXWHQBGWP7M4DTRS7/https://security.gentoo.org/glsa/202003-40http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.htmlhttps://ctrsec.io/index.php/2020/01/25/cve-2020-7237-remote-code-execution-in-cacti-rrdtool/https://github.com/Cacti/cacti/issues/3201https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SUSOTOIEJKD2IWJHN7TY56TDZJQZJUVJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XLZAMGTW2OSIBLYLXWHQBGWP7M4DTRS7/https://security.gentoo.org/glsa/202003-40
2020-01-20
Published