CVE-2020-14295 Overview
A SQL injection vulnerability exists in the color.php file of Cacti version 1.2.12. This vulnerability allows an authenticated administrator to inject arbitrary SQL commands through the filter parameter. The severity of this issue is compounded by the fact that Cacti's database configuration accepts stacked queries, enabling attackers to escalate from SQL injection to full remote command execution on the underlying server.
Critical Impact
Authenticated administrators can leverage SQL injection to achieve remote command execution on systems running Cacti 1.2.12, potentially leading to complete server compromise.
Affected Products
- Cacti version 1.2.12
- Fedora 31
- Fedora 32
Discovery Timeline
- 2020-06-17 - CVE-2020-14295 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-14295
Vulnerability Analysis
This vulnerability is a classic SQL injection flaw (CWE-89) that occurs when user-supplied input through the filter parameter in color.php is not properly sanitized before being incorporated into SQL queries. What makes this vulnerability particularly dangerous is the ability to execute stacked queries against the database backend.
Stacked queries allow an attacker to append additional SQL statements separated by semicolons, enabling operations beyond simple data extraction. In this case, an authenticated administrator can leverage MySQL's ability to write files to disk and execute system commands, transforming what would typically be a data disclosure vulnerability into a full remote code execution scenario.
The attack requires administrative privileges to access the vulnerable endpoint, but once authenticated, an attacker has significant control over both the database and potentially the underlying operating system.
Root Cause
The root cause of this vulnerability lies in insufficient input validation and sanitization of the filter parameter within the color.php script. The application fails to properly escape or parameterize user input before constructing SQL queries, allowing malicious SQL syntax to be interpreted as part of the query structure rather than as data.
Additionally, the database configuration permits stacked queries (multiple SQL statements in a single query), which significantly increases the exploitability of the SQL injection by allowing arbitrary database operations beyond the intended query scope.
Attack Vector
The attack is conducted over the network by an authenticated user with administrative privileges. The attacker crafts a malicious request to the color.php endpoint, embedding SQL injection payloads within the filter parameter.
The exploitation typically follows this pattern:
- An attacker with admin credentials authenticates to the Cacti web interface
- The attacker navigates to or directly requests the color.php endpoint
- Malicious SQL is injected through the filter parameter
- Using stacked queries, the attacker can write PHP files to the web directory
- The attacker then accesses the uploaded PHP file to execute system commands
Public exploits are available on Packet Storm Security demonstrating the full attack chain from SQL injection to remote command execution.
Detection Methods for CVE-2020-14295
Indicators of Compromise
- Unusual or malformed requests to color.php containing SQL syntax characters such as semicolons, single quotes, or UNION keywords in the filter parameter
- Web server logs showing requests with encoded SQL payloads targeting color.php
- Unexpected PHP files appearing in the Cacti web directory or temporary directories
- Database logs showing stacked queries or file write operations via INTO OUTFILE
- New or modified cron jobs, reverse shell connections, or unexpected processes running as the web server user
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in requests to Cacti endpoints
- Monitor database query logs for anomalous stacked queries, file operations, or privilege escalation attempts
- Deploy file integrity monitoring on the Cacti web directory to detect unauthorized file creation or modification
- Configure intrusion detection systems (IDS) to alert on known exploitation signatures for CVE-2020-14295
Monitoring Recommendations
- Enable verbose logging on the web server and database to capture detailed request and query information
- Set up alerting for any INTO OUTFILE, INTO DUMPFILE, or LOAD_FILE operations in MySQL logs
- Monitor for outbound network connections originating from the web server process that may indicate reverse shell activity
- Regularly audit administrative user accounts and access patterns for anomalous behavior
How to Mitigate CVE-2020-14295
Immediate Actions Required
- Upgrade Cacti to a version newer than 1.2.12 that contains the security fix for this vulnerability
- Restrict network access to Cacti administrative interfaces to trusted IP addresses only
- Review and audit all administrative user accounts, removing any unnecessary or suspicious accounts
- Implement strong authentication mechanisms and consider multi-factor authentication for admin access
Patch Information
Security patches and updates are available from the Cacti project. Refer to the GitHub Cacti Issue Discussion for detailed information about the fix. Linux distribution maintainers have also released security updates:
- Gentoo GLSA 202007-03
- Fedora security updates available via the Fedora Package Announcements
- openSUSE security updates via openSUSE Security Announcement
Workarounds
- If immediate patching is not possible, restrict access to color.php at the web server level using access control rules
- Disable stacked queries in the MySQL configuration if your application does not require them (note: this may affect functionality)
- Implement a reverse proxy with SQL injection filtering capabilities in front of the Cacti application
- Consider temporarily disabling the vulnerable color management functionality until a patch can be applied
# Example Apache configuration to restrict access to color.php
<Location /cacti/color.php>
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
