CVE-2024-29895 Overview
CVE-2024-29895 is a command injection vulnerability affecting Cacti, an operational monitoring and fault management framework. This vulnerability exists in the 1.3.x DEV branch and allows any unauthenticated user to execute arbitrary commands on the server when the register_argc_argv PHP configuration option is enabled.
The vulnerability resides in cmd_realtime.php at line 119, where the $poller_id variable is sourced from $_SERVER['argv'], which can be controlled via URL parameters when register_argc_argv is enabled. This configuration is enabled by default in many environments, including the main PHP Docker image, significantly increasing the attack surface.
Critical Impact
Unauthenticated remote attackers can execute arbitrary commands on vulnerable Cacti servers, potentially leading to complete system compromise, data exfiltration, and lateral movement within the network.
Affected Products
- Cacti 1.3.x DEV branch
- PHP environments with register_argc_argv enabled (default in PHP Docker images)
- Cacti installations using affected versions of cmd_realtime.php
Discovery Timeline
- 2024-05-14 - CVE-2024-29895 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-29895
Vulnerability Analysis
This command injection vulnerability (CWE-77) arises from the unsafe handling of user-controllable input in the cmd_realtime.php script. The core issue is that the $poller_id variable is derived from $_SERVER['argv'], a PHP superglobal that can be manipulated through URL query string parameters when the register_argc_argv PHP directive is set to On.
The vulnerability is particularly dangerous because it requires no authentication, meaning any network-accessible Cacti instance with the vulnerable configuration can be exploited by anonymous attackers. The attack can be executed entirely over the network with no user interaction required.
Root Cause
The root cause of this vulnerability is the use of unsanitized input from $_SERVER['argv'] in command execution contexts. When register_argc_argv is enabled in PHP, the query string components are parsed and made available in the $_SERVER['argv'] array. The Cacti code at line 119 of cmd_realtime.php uses this value directly as part of a system command without proper validation or sanitization.
A patch was initially applied in commit 53e8014d1f082034e0646edc6286cde3800c683d, but this fix was subsequently reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc, leaving the vulnerability unaddressed in certain code versions.
Attack Vector
The attack is network-based and requires no privileges or user interaction. An attacker can craft a malicious URL containing command injection payloads in the query string. When the Cacti server processes this request with register_argc_argv enabled, the attacker's payload is incorporated into a system command and executed with the privileges of the web server process.
Successful exploitation grants the attacker the ability to execute arbitrary shell commands, potentially allowing them to read sensitive configuration files, establish reverse shells, install malware, or pivot to other systems on the network. The scope is changed, meaning the vulnerability can impact resources beyond the vulnerable component itself.
For technical details on the vulnerable code, refer to the Cacti Command Code Review and the GitHub Security Advisory.
Detection Methods for CVE-2024-29895
Indicators of Compromise
- Unusual HTTP requests to /cmd_realtime.php with suspicious query string parameters containing shell metacharacters (;, |, &&, backticks)
- Web server process spawning unexpected child processes such as /bin/sh, /bin/bash, wget, curl, or nc
- Outbound network connections from the web server to unknown external IP addresses
- New or modified files in web-accessible directories or temporary folders
- Web server error logs showing command execution failures or syntax errors
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing shell metacharacters in query strings to cmd_realtime.php
- Monitor process creation events for web server processes spawning command shells or downloading tools
- Deploy network intrusion detection system (NIDS) signatures for command injection patterns in HTTP traffic
- Enable and centralize web access logs, filtering for requests to cmd_realtime.php with unusual parameters
Monitoring Recommendations
- Configure SIEM alerts for command injection patterns in web application logs targeting Cacti endpoints
- Establish baseline behavior for web server process activity and alert on anomalies
- Monitor for unauthorized changes to Cacti configuration files and web application directories
- Implement egress filtering and alert on unexpected outbound connections from Cacti servers
How to Mitigate CVE-2024-29895
Immediate Actions Required
- Disable the register_argc_argv PHP configuration option by setting it to Off in php.ini
- Restrict network access to Cacti installations to trusted IP addresses only
- Implement WAF rules to block malicious requests to cmd_realtime.php
- Review Cacti server logs for evidence of exploitation attempts
- Consider temporarily disabling the cmd_realtime.php functionality if not required
Patch Information
An initial patch was committed (Cacti Commit 53e8014d) to address this vulnerability; however, this fix was subsequently reverted. Organizations should monitor the GitHub Security Advisory for updated patch information and apply fixes as soon as they become available.
Workarounds
- Set register_argc_argv = Off in your PHP configuration (php.ini) and restart the web server
- Use firewall rules to restrict access to Cacti to authorized administrative networks only
- Deploy a reverse proxy or WAF in front of Cacti to filter malicious requests
- Remove or rename cmd_realtime.php if the real-time graphing functionality is not required in your deployment
# Disable register_argc_argv in PHP configuration
echo "register_argc_argv = Off" >> /etc/php/8.1/apache2/php.ini
systemctl restart apache2
# Alternatively, block access to the vulnerable endpoint using Apache
# Add to Cacti VirtualHost configuration:
# <Location "/cmd_realtime.php">
# Require all denied
# </Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
