CVE-2024-31445
📋 TL;DR
This SQL injection vulnerability in Cacti allows authenticated users to execute arbitrary SQL commands, potentially leading to privilege escalation and remote code execution. It affects all Cacti installations prior to version 1.2.27 where users have authenticated access to the automation API.
💻 Affected Systems
- Cacti
📦 What is this software?
Cacti by Cacti
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via remote code execution, data exfiltration, and complete control over the Cacti server and potentially underlying systems.
Likely Case
Privilege escalation within Cacti leading to administrative access, data manipulation, and potential lateral movement within the network.
If Mitigated
Limited impact due to proper network segmentation, minimal user privileges, and monitoring that detects SQL injection attempts.
🎯 Exploit Status
Exploitation requires authenticated access but the SQL injection is straightforward. Public exploit code may emerge given the high CVSS score and RCE potential.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.27
Vendor Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-vjph-r677-6pcc
Restart Required: No
Instructions:
1. Backup your Cacti database and configuration. 2. Download Cacti 1.2.27 from the official repository. 3. Follow the Cacti upgrade documentation to apply the update. 4. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Restrict API Access
allBlock or restrict access to the vulnerable API endpoint (/api_automation.php) at the web server or firewall level.
# Apache example: RewriteRule ^/api_automation\.php$ - [F]
# Nginx example: location ~ /api_automation\.php$ { deny all; }
Minimize User Privileges
allReview and reduce user permissions to only necessary functions, removing automation API access where possible.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Cacti servers from critical systems
- Enable detailed logging and monitoring for SQL injection attempts and unusual API activity
🔍 How to Verify
Check if Vulnerable:
Check Cacti version via web interface (Console > About) or command line: grep 'cacti_version' /path/to/cacti/include/global.phpCheck Version:
grep "cacti_version" /path/to/cacti/include/global.php | cut -d"'" -f4Verify Fix Applied:
Confirm version is 1.2.27 or higher and check that the vulnerable lines in api_automation.php have been patched (lines 717 and 856 should show proper input validation).📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in Cacti logs
- Multiple failed authentication attempts followed by API access
- Suspicious patterns in automation API requests
Network Indicators:
- Unusual outbound connections from Cacti server
- Traffic to /api_automation.php with SQL injection patterns
SIEM Query:
source="cacti.log" AND ("api_automation" OR "automation_get_new_graphs_sql") AND ("UNION" OR "SELECT" OR "INSERT" OR "DELETE" OR suspicious_patterns)🔗 References
- https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/lib/api_automation.php#L717
- https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/lib/api_automation.php#L856
- https://github.com/Cacti/cacti/commit/fd93c6e47651958b77c3bbe6a01fff695f81e886
- https://github.com/Cacti/cacti/security/advisories/GHSA-vjph-r677-6pcc
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
- https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/lib/api_automation.php#L717
- https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/lib/api_automation.php#L856
- https://github.com/Cacti/cacti/commit/fd93c6e47651958b77c3bbe6a01fff695f81e886
- https://github.com/Cacti/cacti/security/advisories/GHSA-vjph-r677-6pcc
- https://lists.debian.org/debian-lts-announce/2024/09/msg00027.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
