Login Sign Up

CVE-2019-17358

8.1 HIGH
Remote Code Execution Deserialization

📋 TL;DR

CVE-2019-17358 is an unsafe deserialization vulnerability in Cacti that allows authenticated attackers to manipulate object data values. This could lead to arbitrary code execution, memory corruption, or unauthorized system actions. The vulnerability affects Cacti versions through 1.2.7.

💻 Affected Systems

Products:
  • Cacti
Versions: All versions through 1.2.7
Operating Systems: All platforms running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to Cacti web interface. PHP versions with insecure deserialization behavior are particularly vulnerable.

📦 What is this software?

Cacti by Cacti

View all CVEs affecting Cacti →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Leap by Opensuse

View all CVEs affecting Leap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authenticated attacker gains remote code execution on the Cacti server, potentially compromising the entire system and enabling lateral movement.

🟠

Likely Case

Authenticated user with malicious intent executes arbitrary code within the Cacti application context, leading to data theft, system manipulation, or service disruption.

🟢

If Mitigated

With proper authentication controls and network segmentation, impact is limited to the Cacti application itself rather than the underlying system.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated access and knowledge of PHP object injection techniques. Multiple proof-of-concept examples exist in security communities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Cacti 1.2.8 and later

Vendor Advisory: https://github.com/Cacti/cacti/security/advisories

Restart Required: No

Instructions:

1. Backup Cacti configuration and database. 2. Download Cacti 1.2.8 or later from official repository. 3. Replace vulnerable lib/functions.php with patched version. 4. Verify no custom modifications are overwritten. 5. Clear PHP opcache if enabled.

🔧 Temporary Workarounds

Restrict Cacti Access

linux

Limit Cacti web interface access to trusted users only using network controls

# Configure firewall rules to restrict access
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT

Implement Web Application Firewall

all

Deploy WAF with rules to detect and block PHP deserialization attacks

# Example ModSecurity rule for PHP deserialization
SecRule ARGS "@rx O:[0-9]+:" "id:1001,phase:2,deny,msg:'PHP Object Injection Attempt'"

🧯 If You Can't Patch

  • Implement strict authentication controls and limit Cacti access to essential personnel only
  • Monitor Cacti logs for unusual activity and implement intrusion detection for PHP deserialization patterns

🔍 How to Verify

Check if Vulnerable:

Check Cacti version in web interface footer or via command: grep 'version' /path/to/cacti/include/global.php

Check Version:

grep "\$config\['cacti_version'\]" /path/to/cacti/include/global.php

Verify Fix Applied:

Verify version is 1.2.8 or later and check lib/functions.php for proper input validation around unserialize() calls

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to Cacti endpoints
  • PHP errors related to unserialize() or memory corruption
  • Unexpected process execution from Cacti user

Network Indicators:

  • Serialized PHP objects in HTTP POST data
  • Unusual outbound connections from Cacti server

SIEM Query:

source="cacti_access.log" AND (method="POST" AND (uri="/graph_view.php" OR uri="/graph.php") AND size>10000)

📊 Metadata

CVE ID: CVE-2019-17358
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-502
Published: December 12, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-17358, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)