Attacker Value

Moderate

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

CVE-2023-49085

Disclosure Date: December 22, 2023 •

CVE-2023-49085 CVSS v3 Base Score: 8.8

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Metasploit Module

exploit/multi/http/cacti_pollers_sqli_rce

Description

Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the pollers.php script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the pollers.php. Impact of the vulnerability – arbitrary SQL code execution. As of time of publication, a patch does not appear to exist.

Add Assessment

cdelafuente-r7 (96)

February 01, 2024 1:02pm UTC (9 months ago)•Edited 9 months ago

Ratings

Attacker Value

Medium

Exploitability

Very High

Gives privileged access Authenticated Requires elevated access

Technical Analysis

This is a blind SQL injection in the poller device management page (pollers.php), which can be exploited with time-based techniques. Even if the exploitation is a bit more complex, the attacker can have full control of the database and can read, update, insert and delete anything. For example, the user_auth_realm table can be updated to grant administrative privileges. Also, it is possible to chain this vulnerability with CVE-2023-49084 and get remote code execution. A Metasploit module exists for this.

The risk is reduced because the attacker needs to be authenticated with permissions to access the pollers page. This is granted by setting the Sites/Devices/Data permission in the General Administration section. That being said, even if Cacti is usually not exposed to the internet, it is a serious issue and should be patched as soon as possible. A fix has been released with version 1.2.26.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

8.8 High

Impact Score:

5.9

Exploitability Score:

2.8

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

cacti

Products

cacti

Metasploit Modules

exploit/multi/http/cacti_pollers_sqli_rce (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/cacti_pollers_sqli_rce.rb)

References

Canonical

CVE-2023-49085 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49085)

Miscellaneous

https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855

https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/pollers.php#L451

http://packetstormsecurity.com/files/176995/Cacti-pollers.php-SQL-Injection-Remote-Code-Execution.html

https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/

Rapid7

Moderate

CVE-2023-49085

Moderate

Very High

None

Low

Network

CVE-2023-49085

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Moderate

CVE-2023-49085

Moderate

Very High

None

Low

Network

CVE-2023-49085

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification