CVE-2024-54145
📋 TL;DR
CVE-2024-54145 is a SQL injection vulnerability in Cacti's automation_devices.php file that allows attackers to execute arbitrary SQL commands through the network parameter. This affects all Cacti administrators and users with access to vulnerable instances. Successful exploitation could lead to data theft, manipulation, or unauthorized access to the database.
💻 Affected Systems
- Cacti
📦 What is this software?
Cacti by Cacti
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data exfiltration, privilege escalation, or remote code execution if database functions allow it.
Likely Case
Unauthorized data access, modification of monitoring data, or extraction of sensitive configuration information.
If Mitigated
Limited impact with proper input validation and database permissions restricting query execution.
🎯 Exploit Status
SQL injection vulnerabilities are typically easy to exploit with basic tools. Requires authenticated access to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.29
Vendor Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-fh3x-69rr-qqpp
Restart Required: No
Instructions:
1. Backup your Cacti database and configuration. 2. Download Cacti 1.2.29 from the official repository. 3. Follow the upgrade instructions at https://docs.cacti.net/Upgrading. 4. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation for the network parameter in automation_devices.php
# Modify automation_devices.php to sanitize network parameter input
# Add parameterized queries or input validation before SQL execution
Access Restriction
linuxRestrict access to automation_devices.php to trusted IP addresses only
# Apache: <Location /automation_devices.php>
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
</Location>
# Nginx: location /automation_devices.php {
allow 192.168.1.0/24;
deny all;
}
🧯 If You Can't Patch
- Implement strict input validation for all user-supplied parameters in PHP code
- Apply network segmentation to isolate Cacti instances from sensitive systems
🔍 How to Verify
Check if Vulnerable:
Check Cacti version via web interface or by examining the source code for vulnerable get_discovery_results function in automation_devices.phpCheck Version:
grep '\$config\["cacti_version"\]' /path/to/cacti/include/global.php || php -r "include '/path/to/cacti/include/global.php'; echo \$config['cacti_version'];"Verify Fix Applied:
Verify Cacti version is 1.2.29 or later via the web interface or by checking the version in includes/global.php📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed authentication attempts followed by access to automation_devices.php
- Unexpected database errors in Cacti application logs
Network Indicators:
- Unusual traffic patterns to automation_devices.php endpoint
- SQL injection patterns in HTTP requests
SIEM Query:
source="cacti_logs" AND ("automation_devices.php" OR "network parameter") AND (error OR sql OR injection)