CVE-2023-37543
📋 TL;DR
CVE-2023-37543 is an Insecure Direct Object Reference (IDOR) vulnerability in Cacti that allows attackers to access any monitoring graph by manipulating the local_graph_id parameter in graph_xport.php. This affects all Cacti installations before version 1.2.6. The vulnerability enables unauthorized data access but does not provide direct system compromise.
💻 Affected Systems
- Cacti
📦 What is this software?
Cacti by Cacti
⚠️ Risk & Real-World Impact
Worst Case
Attackers could exfiltrate sensitive monitoring data including network metrics, system performance data, and potentially credentials or configuration details displayed in graphs, leading to information disclosure and reconnaissance for further attacks.
Likely Case
Unauthorized access to monitoring graphs containing sensitive operational data, potentially revealing network topology, system metrics, or performance information that could aid attackers in planning further attacks.
If Mitigated
With proper access controls and network segmentation, impact is limited to unauthorized viewing of monitoring data within the Cacti application scope.
🎯 Exploit Status
Exploitation requires simple HTTP requests with modified local_graph_id parameters. Public proof-of-concept details are available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.6
Vendor Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-4x82-8w8m-w8hj
Restart Required: No
Instructions:
1. Backup your Cacti database and configuration. 2. Download Cacti 1.2.6 or later from the official repository. 3. Follow the Cacti upgrade documentation for your specific version. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Access Restriction via Web Server
allRestrict access to graph_xport.php using web server configuration or WAF rules
# Apache example: <Location "/graph_xport.php">
Require ip 10.0.0.0/8
</Location>
# Nginx example: location = /graph_xport.php {
allow 10.0.0.0/8;
deny all;
}
Authentication Enforcement
allEnsure graph_xport.php requires authentication by checking Cacti authentication configuration
# Verify authentication is enabled in Cacti configuration
# Check /etc/cacti/config.php or similar for authentication settings
🧯 If You Can't Patch
- Implement network segmentation to restrict access to Cacti web interface
- Deploy a WAF with rules to detect and block IDOR exploitation patterns
🔍 How to Verify
Check if Vulnerable:
Check if accessing /graph_xport.php?local_graph_id=[any_number] returns graph data without proper authorization checksCheck Version:
php /path/to/cacti/cli/version.php OR check Cacti web interface footerVerify Fix Applied:
After patching, verify that unauthorized graph access attempts return appropriate error messages or are blocked📡 Detection & Monitoring
Log Indicators:
- Multiple requests to graph_xport.php with varying local_graph_id parameters
- Unauthorized access attempts to graph endpoints
- Unusual graph export patterns from unexpected IP addresses
Network Indicators:
- HTTP GET requests to /graph_xport.php with parameter manipulation
- Unusual data export patterns from Cacti server
SIEM Query:
source="cacti_access.log" AND uri="/graph_xport.php" AND (local_graph_id!="expected_pattern" OR status=200)🔗 References
- https://github.com/Cacti/cacti/security/advisories/GHSA-4x82-8w8m-w8hj
- https://medium.com/%40hussainfathy99/exciting-news-my-first-cve-discovery-cve-2023-37543-idor-vulnerability-in-cacti-bbb6c386afed
- https://github.com/Cacti/cacti/security/advisories/GHSA-4x82-8w8m-w8hj
- https://medium.com/%40hussainfathy99/exciting-news-my-first-cve-discovery-cve-2023-37543-idor-vulnerability-in-cacti-bbb6c386afed
