HTTP: Cacti arbitrary command execution
This signature detects attempts to exploit a known vulnerability against Cacti Group Cacti remote_agent.php. A successful attack can lead to command injection and arbitrary code execution.
Extended Description
Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc.
References
CVE: CVE-2024-29895
Short Name
HTTP:CTS:CACTI-MONITOR-CMD-INJ
Severity
Major
Recommended
True
Recommended Action
None
Category
HTTP
Keywords
CVE-2024-29895 Cacti arbitrary command execution
Release Date
05/31/2024
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3710
False Positive
Unknown