cacti
修正版
1.2.29
CVE-2024-43363 describes a Remote Code Execution (RCE) vulnerability in Cacti, an open-source performance and fault management framework. An attacker can exploit this flaw by crafting a malicious hostname during device creation, leading to arbitrary code execution. This vulnerability impacts versions of Cacti prior to 1.2.28, and a patch is available in version 1.2.28.
The impact of this vulnerability is significant. A successful exploit allows an attacker to execute arbitrary PHP code on the Cacti server, effectively gaining complete control. This could lead to data breaches, system compromise, and potential lateral movement within the network. The attacker could modify configuration files, steal sensitive data, or even use the compromised server as a launchpad for further attacks. The log poisoning technique, where malicious code is injected into log files, is a concerning aspect of this vulnerability, as it can be difficult to detect and remove.
CVE-2024-43363 was publicly disclosed on 2024-10-07. There is currently no indication of active exploitation in the wild, nor is it listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet widely available, but the vulnerability's simplicity suggests it could be easily exploited.
Organizations utilizing Cacti for network performance monitoring, particularly those running versions prior to 1.2.28, are at risk. Shared hosting environments where multiple users have access to device creation functionalities are especially vulnerable, as a compromised user could potentially exploit the vulnerability to impact other users on the same server.
• php: Check Cacti log files for unexpected PHP code.
grep -r '<?php' /var/log/cacti/*• php: Monitor Cacti server access logs for requests to log file URLs containing suspicious parameters.
grep 'log.php' /var/log/apache2/access.log• generic web: Scan Cacti server for exposed log files via directory listing.
curl -I http://cacti.example.com/disclosure
エクスプロイト状況
EPSS
75.13% (99% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-43363 is to immediately upgrade Cacti to version 1.2.28 or later. Due to the nature of the vulnerability, there are no known workarounds. If upgrading is not immediately feasible, consider isolating the Cacti server from external networks to limit potential exposure. Thoroughly review device creation processes to ensure hostnames are properly validated and sanitized to prevent malicious code injection. After upgrading, confirm the fix by attempting to create a device with a hostname containing PHP code and verifying that the code is not executed.
Actualice Cacti a la versión 1.2.28 o superior. Esta versión contiene la corrección para la vulnerabilidad de ejecución remota de código. No existen workarounds conocidos, por lo que la actualización es la única solución recomendada.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-43363 is a Remote Code Execution vulnerability in Cacti versions prior to 1.2.28, allowing attackers to execute arbitrary PHP code via malicious device hostnames.
You are affected if you are running Cacti version 1.2.28 or earlier. Upgrade to 1.2.28 to mitigate the risk.
Upgrade Cacti to version 1.2.28 or later. There are no known workarounds for this vulnerability.
There is currently no evidence of active exploitation in the wild, but the vulnerability's simplicity suggests it could be easily exploited.
Refer to the official Cacti security advisory for detailed information and updates: [https://forums.cacti.net/viewtopic.php?t=17623](https://forums.cacti.net/viewtopic.php?t=17623)