Monitoring software: Cacti vulnerabilities allow malicious code to be injected
An updated version of the Cacti monitoring software closes several security gaps, some of which are critical. This allows attackers to smuggle in code.
![Stilisiertes Bild: Laptop steht auf Schreibtisch vor Serverschränken, es brennt](https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/4/5/8/9/4/7/2/2024-05-13-BingDesigner-Laptop_vor_Serverschraenken_brennt-1-2160px-af1f4dbdc63646b4.png)
Security gaps jeopardize network security.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
The new version 1.2.27 of the monitoring software Cacti closes several security vulnerabilities, among other things. The severity level ranges up to "critical" and allows attackers to inject malicious code or cause damage with SQL injections, for example.
The changelog lists nine changes in Cacti as security patches. Registered users with authorization to import templates can inject arbitrary malicious code due to a vulnerability that allows the writing of arbitrary files in the package import function (CVE-2024-25641, CVSS 9.1, risk"critical").
Old Cacti version with high-risk and critical vulnerabilities
Authenticated attackers can also abuse an SQL injection vulnerability in api_automation.php
in the automation_get_new_graphs_sql
function to escalate their privileges or inject and execute malicious code (CVE-2024-31445, CVSS 8.8, high). A problem with including files in lib/plugin.php
can be combined with SQL injection vulnerabilities to smuggle in arbitrary code (CVE-2024-31459, no CVSS value, high).
The developers classify the other vulnerabilities as medium risk. The following vulnerabilities, sorted in descending order of severity, are closed by the new Cacti version:
- RCE vulnerability when importing packages, CVE-2024-25641, CVSS 9.1, critical
- SQL injection vulnerability when retrieving graphs using Automation API, CVE-2024-31445, CVSS 8.8, high
- RCE vulnerability when plugins include files, CVE-2024-31459, no CVSS value, high
- XSS vulnerability whenmanaging data queries, CVE-2024-31443, CVSS 5.7, medium
- XSS vulnerability whenreading tree rules with Automation API, CVE-2024-31444, CVSS 4.6, medium
- SQL Injection vulnerability when using form templates, CVE-2024-31458, CVSS 4 .6, medium
- Authentication bypass when using older password hashes, CVE-2024-34340, CVSS 4 .2, medium
- SQL Injection vulnerability when using tree rules through Automation API, CVE-2024-31460, no CVSS value, medium
- XSS vulnerability when using JavaScript based messaging API, CVE-2024-29894, no CVSS value, medium
As some of the vulnerabilities are considered critical or high-risk, IT managers should update their Cacti systems to the new version as soon as possible. The updated version can be downloaded from the Cacti download page.
The developers last patched security leaks in Cacti in January. These high-risk vulnerabilities also allowed SQL injections or the injection of arbitrary PHP code.
(dmk)