CVE-2024-31459
📋 TL;DR
CVE-2024-31459 is a critical vulnerability in Cacti monitoring software that allows remote code execution through a combination of SQL injection and file inclusion flaws. Attackers can exploit this to execute arbitrary code on affected systems. All Cacti installations prior to version 1.2.27 are vulnerable.
💻 Affected Systems
- Cacti
📦 What is this software?
Cacti by Cacti
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary code, steal data, install malware, or pivot to other systems in the network.
Likely Case
Remote code execution leading to web shell installation, data exfiltration, or cryptocurrency mining operations.
If Mitigated
Limited impact if proper network segmentation, web application firewalls, and least privilege principles are implemented.
🎯 Exploit Status
Exploitation requires chaining SQL injection with file inclusion, but public advisories provide sufficient technical details for exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.27
Vendor Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv
Restart Required: Yes
Instructions:
1. Backup your Cacti installation and database. 2. Download Cacti 1.2.27 from the official repository. 3. Replace the vulnerable lib/plugin.php file with the patched version. 4. Restart the web server service. 5. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Network Isolation
linuxRestrict network access to Cacti instances using firewall rules
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Web Application Firewall Rules
allImplement WAF rules to block SQL injection and file inclusion patterns
🧯 If You Can't Patch
- Immediately restrict network access to Cacti instances using firewall rules to only allow trusted IP addresses
- Implement a web application firewall with rules specifically targeting SQL injection and file inclusion patterns
🔍 How to Verify
Check if Vulnerable:
Check Cacti version via web interface or by examining the version.php file. Versions below 1.2.27 are vulnerable.Check Version:
grep '\$version' /path/to/cacti/include/global.php | head -1Verify Fix Applied:
Verify the installed version is 1.2.27 or higher. Check that the lib/plugin.php file has been updated with the security patch.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- File inclusion attempts in web server logs
- Unexpected PHP file execution
- Web shell upload patterns
Network Indicators:
- Unusual outbound connections from Cacti server
- Exploit tool traffic patterns
- Command and control beaconing
SIEM Query:
source="web_server_logs" AND (url="*plugin.php*" OR url="*api_plugin_hook*" OR query="*plugin_hooks*" OR query="*plugin_config*") AND status="200"🔗 References
- https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv
- https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r
- https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
- https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv
- https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r
- https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp
- https://lists.debian.org/debian-lts-announce/2024/09/msg00027.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
