Authenticated command injection in SNMP options of a Device

An authenticated privileged user can exploit this vulnerability by providing a malicious string in the SNMP community string field when configuring a device. This string is then used in an `exec` call without sufficient sanitization, leading to command injection and potential remote code execution on the server. The vulnerability is triggered when the SNMP module for PHP is not installed, forcing Cacti to use binary execution methods [ref_id=1].

The vulnerability resides in the `lib/snmp.php` file, specifically within functions like `cacti_snmp_get`, `cacti_snmp_get_raw`, and `cacti_snmp_walk`. These functions construct commands for execution using the `exec` function, incorporating user-supplied SNMP options without adequate validation or escaping [ref_id=1].

The patch addresses the vulnerability by ensuring that the SNMP community string is properly escaped before being passed to the `exec` function. This prevents malicious input from being interpreted as shell commands, thereby closing the command injection vector. Users are advised to upgrade to version 1.2.25 to benefit from this fix [ref_id=1].

- Go to "Console" > "Create" > "New Device". - Create a Device that supports SNMP version 1 or 2. - Ensure that the Device has Graphs with one or more templates of: - "Net-SNMP - Combined SCSI Disk Bytes" - "Net-SNMP - Combined SCSI Disk I/O" - In the "SNMP Options", for the "SNMP Community String" field, use a value like: `public\' ; touch /tmp/m3ssap0 ; \'`. - Click the "Create" button. - Check under `/tmp` the presence of the created file `/tmp/m3ssap0` [ref_id=1].