[SECURITY] [DLA 3765-1] cacti security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3765-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
March 18, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : cacti
Version : 1.2.2+ds1-2+deb10u6
CVE ID : CVE-2023-39357 CVE-2023-39360 CVE-2023-39361 CVE-2023-39362
CVE-2023-39364 CVE-2023-39365 CVE-2023-39513 CVE-2023-39515
CVE-2023-39516 CVE-2023-49084 CVE-2023-49085 CVE-2023-49086
CVE-2023-49088
Debian Bug : 1059254
Multiple vulnerabilities were found in Cacti, a network monitoring
system. An attacker could manipulate the database, execute code
remotely, launch DoS (denial-of-service) attacks or impersonate Cacti
users, in some situations.
CVE-2023-39357
When the column type is numeric, the sql_save function directly
utilizes user input. Many files and functions calling the sql_save
function do not perform prior validation of user input, leading to
the existence of multiple SQL injection vulnerabilities in
Cacti. This allows authenticated users to exploit these SQL
injection vulnerabilities to perform privilege escalation and
remote code execution.
CVE-2023-39360
Stored Cross-Site-Scripting (XSS) Vulnerability allows an
authenticated user to poison data. The vulnerability is found in
`graphs_new.php`. Several validations are performed, but the
`returnto` parameter is directly passed to `form_save_button`. In
order to bypass this validation, returnto must contain `host.php`.
CVE-2023-39361
SQL injection discovered in graph_view.php. Since guest users can
access graph_view.php without authentication by default, if guest
users are being utilized in an enabled state, there could be the
potential for significant damage. Attackers may exploit this
vulnerability, and there may be povssibilities for actions such as
the usurpation of administrative privileges or remote code
execution.
CVE-2023-39362
An authenticated privileged user, can use a malicious string in
the SNMP options of a Device, performing command injection and
obtaining remote code execution on the underlying server. The
`lib/snmp.php` file has a set of functions, with similar behavior,
that accept in input some variables and place them into an `exec`
call without a proper escape or validation.
CVE-2023-39364
Users with console access can be redirected to an arbitrary
website after a change password performed via a specifically
crafted URL. The `auth_changepassword.php` file accepts `ref` as a
URL parameter and reflects it in the form used to perform the
change password. It's value is used to perform a redirect via
`header` PHP function. A user can be tricked in performing the
change password operation, e.g., via a phishing message, and then
interacting with the malicious website where the redirection has
been performed, e.g., downloading malwares, providing credentials,
etc.
CVE-2023-39365
Issues with Cacti Regular Expression validation combined with the
external links feature can lead to limited SQL Injections and
subsequent data leakage.
CVE-2023-39513
Stored Cross-Site-Scripting (XSS) Vulnerability which allows an
authenticated user to poison data stored in the _cacti_'s
database. The script under `host.php` is used to monitor and
manage hosts in the _cacti_ app, hence displays useful information
such as data queries and verbose logs.
CVE-2023-39515
Stored Cross-Site-Scripting (XSS) Vulnerability allows an
authenticated user to poison data stored in the cacti's
database. These data will be viewed by administrative cacti
accounts and execute JavaScript code in the victim's browser at
view-time. The script under `data_debug.php` displays data source
related debugging information such as _data source paths, polling
settings, meta-data on the data source.
CVE-2023-39516
Stored Cross-Site-Scripting (XSS) Vulnerability which allows an
authenticated user to poison data stored in the _cacti_'s
database. These data will be viewed by administrative _cacti_
accounts and execute JavaScript code in the victim's browser at
view-time. The script under `data_sources.php` displays the data
source management information (e.g. data source path, polling
configuration etc.) for different data visualizations of the
_cacti_ app.
CVE-2023-49084
While using the detected SQL Injection and insufficient processing
of the include file path, it is possible to execute arbitrary code
on the server. Exploitation of the vulnerability is possible for
an authorized user. The vulnerable component is the `link.php`.
CVE-2023-49085
It is possible to execute arbitrary SQL code through the
`pollers.php` script. An authorized user may be able to execute
arbitrary SQL code. The vulnerable component is the `pollers.php`.
CVE-2023-49086
Bypassing an earlier fix (CVE-2023-39360) that leads to a DOM XSS
attack. Exploitation of the vulnerability is possible for an
authorized user. The vulnerable component is the `graphs_new.php`.
CVE-2023-49088
The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete
as it enables an adversary to have a victim browser execute
malicious code when a victim user hovers their mouse over the
malicious data source path in `data_debug.php`.
For Debian 10 buster, these problems have been fixed in version
1.2.2+ds1-2+deb10u6.
We recommend that you upgrade your cacti packages.
For the detailed security status of cacti please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cacti
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmX4gD8ACgkQDTl9HeUl
XjBYcxAAmAYZrVh2A/WqKiYrOmjuBfrzZYoTsvHQ5vkFopsGmYxOX6UtiH2O0uCk
ECaq6eBEwUwkLz1DB8JP0CRoVGsRcs7aN9x0JUno+55/WfJ6BnxsBp7/0x/18IRx
FxbIrD4ndx2HhiU1KDzmsFNYo1usvY2AuoBU7HrWxmKculgb9Y1al4/K9PU2TKLY
D/J0jf1EAYQC8ieEd0bB4RocIbKUfgS/9Mzv+9zBZ0snpmnv+l1YmWTUbcI0lGsu
F8lw8Ap4AqE0SaPyj3PgkOAXAslcjQGTj2ZNbdL/8O38rJvyrA4KSnsvPOa2aJDH
3MHdYb6PyaCzuL7Yrp5hhAfQ41GDV1OomRAm7b9VZlDAu7nk2VGLG8hnCbVfZtay
+H7pPoONw3JMGL56ePNf1URjJgT3vwvseIL772BLnRVUpLM1NW+O0fTbxWf/uKbq
y51602YnA6jUByCqVrh1xRrx+gYR6QcS1ygcEkkA5qEFo/U2YorZn5JlSpZBPVM9
4fyPS2SKv/c+Dzq1Y+6dsihg55mVyB4cErn7HXPXhsExvkXE0fPXXlj86qvMX1Hd
xsAg5oCvBrIvPgYE7SGOKYfyhxihbkyWMLisXZBRWeW68CgQnOgV3GxpCl9IJIP4
CbhlOcW/+kXPU2aTEcVKf+8Wx/13ZG2C1kBjiQVdgtWxmRXXTIY=
=3CrP
-----END PGP SIGNATURE-----
Reply to: