CVE-2023-31132
📋 TL;DR
This CVE describes a privilege escalation vulnerability in Cacti where low-privileged Windows users can create arbitrary PHP files in web directories and execute them with SYSTEM privileges. Affected users are those running vulnerable Cacti versions on Windows systems where attackers have local user access. The vulnerability allows complete system compromise.
💻 Affected Systems
- Cacti
📦 What is this software?
Cacti by Cacti
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement, and data exfiltration.
Likely Case
Local privilege escalation leading to full administrative control of the Windows host running Cacti.
If Mitigated
Limited impact if proper access controls prevent low-privileged users from accessing Cacti installation directories.
🎯 Exploit Status
Requires existing low-privileged Windows user access. Exploitation is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.25
Vendor Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-rf5w-pq3f-9876
Restart Required: Yes
Instructions:
1. Backup Cacti configuration and database. 2. Download Cacti 1.2.25 from official repository. 3. Stop Cacti services. 4. Replace existing installation with patched version. 5. Restart Cacti services. 6. Verify functionality.
🔧 Temporary Workarounds
Restrict directory permissions
windowsApply strict access controls to Cacti web directories to prevent low-privileged users from writing PHP files.
icacls "C:\path\to\cacti\web\directory" /deny "Users":(OI)(CI)W
🧯 If You Can't Patch
- Implement strict access controls on Cacti installation directories to prevent low-privileged users from writing files.
- Monitor for unauthorized PHP file creation in Cacti web directories and investigate any suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check Cacti version via web interface or by examining version.php file in installation directory.Check Version:
type "C:\path\to\cacti\include\config.php" | findstr "$version"Verify Fix Applied:
Confirm version is 1.2.25 or later and test that low-privileged users cannot create files in web directories.📡 Detection & Monitoring
Log Indicators:
- Unexpected PHP file creation in Cacti web directories
- Failed permission attempts on Cacti directories
- Unusual process execution from Cacti directories
Network Indicators:
- Unusual outbound connections from Cacti server following local user activity
SIEM Query:
EventID=4663 AND ObjectName LIKE '%cacti%web%' AND Accesses LIKE '%WriteData%' AND SubjectUserName NOT IN ('SYSTEM', 'Administrators')🔗 References
- https://github.com/Cacti/cacti/security/advisories/GHSA-rf5w-pq3f-9876
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/
- https://github.com/Cacti/cacti/security/advisories/GHSA-rf5w-pq3f-9876
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/
