CVE-2023-39357
📋 TL;DR
CVE-2023-39357 is a SQL injection vulnerability in Cacti's sql_save function that allows authenticated users to execute arbitrary SQL commands. This can lead to privilege escalation and remote code execution on affected systems. All Cacti installations below version 1.2.25 are vulnerable.
💻 Affected Systems
- Cacti
📦 What is this software?
Cacti by Cacti
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Authenticated attacker gains full system control via SQL injection leading to remote code execution, potentially compromising the entire monitoring infrastructure and adjacent systems.
Likely Case
Authenticated user exploits SQL injection to escalate privileges, modify monitoring data, and potentially execute system commands on the Cacti server.
If Mitigated
With proper network segmentation and least privilege access, impact limited to Cacti application data manipulation without system compromise.
🎯 Exploit Status
Exploitation requires authenticated access but SQL injection is straightforward once authenticated. No public PoC available but advisory provides technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.25
Vendor Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-6jhp-mgqg-fhqg
Restart Required: Yes
Instructions:
1. Backup Cacti database and configuration files. 2. Download Cacti 1.2.25 from official repository. 3. Follow upgrade instructions at https://docs.cacti.net/Upgrading. 4. Restart web server and Cacti poller services.
🔧 Temporary Workarounds
No workarounds available
allThe vendor advisory states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Restrict network access to Cacti web interface to only trusted IP addresses
- Implement strict authentication controls and monitor for suspicious SQL queries
🔍 How to Verify
Check if Vulnerable:
Check Cacti version via web interface or by examining the cacti.php file version stringCheck Version:
grep '\$version' /path/to/cacti/include/global.php | head -1Verify Fix Applied:
Verify version is 1.2.25 or higher and test SQL injection attempts are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in Cacti logs
- Multiple failed login attempts followed by SQL errors
- Unexpected database modifications
Network Indicators:
- SQL injection patterns in HTTP POST requests to Cacti endpoints
- Unusual outbound connections from Cacti server
SIEM Query:
source="cacti_access.log" AND (method="POST" AND (uri="*sql_save*" OR uri="*.php") AND (query="*UNION*" OR query="*SELECT*" OR query="*INSERT*" OR query="*DELETE*"))🔗 References
- https://github.com/Cacti/cacti/security/advisories/GHSA-6jhp-mgqg-fhqg
- https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/
- https://www.debian.org/security/2023/dsa-5550
- https://github.com/Cacti/cacti/security/advisories/GHSA-6jhp-mgqg-fhqg
- https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/
- https://www.debian.org/security/2023/dsa-5550
