CVE-2023-39359: Authenticated SQL Injection Vulnerability leading to Privilege Escalation and Remote Code Execution in Cacti

Cacti is a widely-used, open-source operational monitoring and fault-management framework that provides a powerful and flexible solution for monitoring network devices, applications, and infrastructure. However, a critical vulnerability, labeled as CVE-2023-39359, was recently discovered in Cacti, affecting versions prior to 1.2.25.

Brief Description of the Vulnerability

This vulnerability allows an authenticated attacker to exploit an SQL injection vulnerability, which leads to privilege escalation and remote code execution. The injection point of the vulnerability resides in the graphs.php file when dealing with the cases of ajax_hosts and ajax_hosts_noany.

Here's a code snippet from the vulnerable graphs.php file

if ($site_id > ) {
    $sql_where .= " AND h.site_id=$site_id";
}

As seen in the code snippet above, if the site_id parameter is greater than , it's directly reflected in the WHERE clause of the SQL statement, creating an SQL injection vulnerability.

Links to Original References

- Cacti's official GitHub repository: https://github.com/Cacti/cacti
- Cacti's official announcement addressing the issue: https://forums.cacti.net/viewtopic.php?f=4&t=63435
- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39359

Exploit Details

To exploit this vulnerability, an attacker simply needs to create a specially-crafted site_id value as a part of their HTTP request, which is then directly evaluated in the SQL statement through the graphs.php file.

Given that the permissions to access and modify the graphs.php file are required to execute this attack, authenticated users with lower privilege levels may be able to carry out further attacks in the system by leveraging the SQL injection vulnerability, including possible privilege escalation and remote code execution.

Recommendations and Workarounds

The Cacti team has already addressed this issue in version 1.2.25. Users are advised to upgrade their Cacti installations to the latest version as soon as possible. Currently, no known workarounds exist for this vulnerability.

This finding highlights the critical nature of keeping your software up to date, as vulnerabilities will continue to be discovered and exploited in the wild. Regular patching and updates can greatly reduce security risks and keep your network infrastructure and applications safe from potential attacks.

Timeline

Published on: 09/05/2023 21:15:46 UTC
Last modified on: 11/09/2023 05:15:09 UTC