Cacti SNMP Command Injection Vulnerability Leading to Remote Code Execution

A command injection vulnerability has been identified in Cacti versions prior to 1.2.29. This flaw allows authenticated users to input crafted SNMP community strings containing control characters, including newlines, which are stored verbatim in the database. When these strings are later used in SNMP operations, they can be interpreted as command boundaries by some SNMP tools, potentially leading to unauthorized command execution with the privileges of the Cacti process.

Impact

Exploitation of this vulnerability allows for arbitrary command execution with the privileges of the Cacti process. This could result in unauthorized changes to monitoring data, execution of system-level commands, unauthorized file writes, and potentially a full compromise of the Cacti server.

Reproduction

To reproduce this vulnerability, an authenticated user can create a new device in Cacti and input a crafted SNMP community string that includes control characters, such as newlines. This string will be stored in the database and can be executed as a command through the SNMP functionality, exploiting the command injection vulnerability.

Remediation

Users can upgrade to Cacti version 1.2.29 or later, where this vulnerability has been fixed.