Threat update

This Cybersecurity Threat Advisory breaks down multiple critical vulnerabilities in the Cacti framework, an open-source network monitoring and fault management tool. Successful exploitation of these vulnerabilities could allow attackers to execute arbitrary code and compromise network infrastructure.

Technical Detail and Additional Info

What is the threat?

Several vulnerabilities were discovered in the Cacti framework. The most severe vulnerabilities include:

• CVE-2024-25641: Critical RCE allowing unauthenticated command execution.
• CVE-2024-29895: SQL injection leading to unauthorized database access.
• CVE-2024-31445: Another SQL injection vulnerability with similar risks.
• CVE-2024-31459: Improper access control allowing authentication bypass.

These vulnerabilities are primarily due to insufficient input validation and inadequate security checks, making it possible for attackers to perform Remote Code Execution (RCE) and SQL injection attacks. These exploits can be triggered remotely by sending specially crafted requests to a vulnerable Cacti instance. 

Why is it noteworthy?

Cacti is extensively used in various organizations for monitoring network performance and managing faults. The ability to exploit these vulnerabilities without authentication increases the risk of widespread attacks. The potential for attackers to gain full administrative control over the monitoring system and manipulate or exfiltrate critical data underscores the severity of these vulnerabilities. 

What is the exposure or risk?

Organizations using the Cacti framework are at significant risk. Exploiting these flaws could allow attackers to:

• Gain administrative access to the monitoring system.
• Execute arbitrary code, potentially compromising the entire network.
• Access and manipulate sensitive database information.
• Alter network configurations and disable monitoring alerts.
• Exfiltrate sensitive data such as network topologies and performance metrics.

These vulnerabilities expose organizations to potential data breaches, operational disruptions, financial loss, and reputational damage. 

What are the recommendations?

 LBT Technology Group recommends the following actions to keep your environment secure:

• Apply the latest patches provided by the Cacti developers to address the identified vulnerabilities.
• Limit access to the Cacti web interface to trusted IP addresses and implement strong authentication measures.
• Isolate the Cacti system from critical infrastructure through network segmentation to minimize the impact of any potential breach.
• Perform regular security audits and vulnerability assessments on the Cacti framework and associated systems.
• Improve monitoring and alerting systems to detect any suspicious activities or exploitation attempts swiftly.

References

 For more in-depth information about the recommendations, please visit the following links:

• https://thehackernews.com/2024/05/critical-flaws-in-cacti-framework-could.html
• https://securityonline.info/cve-2023-39361-critical-sql-injection-vulnerability-found-in-cacti/
• https://vulnera.com/newswire/critical-sql-injection-vulnerability-detected-in-cacti-monitoring-tool/
• https://www.helpnetsecurity.com/2024/01/09/cve-2023-51448/

If you have any questions, please contact LBT's Sales Engineer.