[SECURITY] [DLA 3765-1] cacti security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3765-1] cacti security update
From: Sylvain Beucler <beuc@beuc.net>
Date: Mon, 18 Mar 2024 19:26:19 +0100
Message-id: <[🔎] ZfiHS0jbmhLYtAEo@mail.beuc.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3765-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Sylvain Beucler
March 18, 2024                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : cacti
Version        : 1.2.2+ds1-2+deb10u6
CVE ID         : CVE-2023-39357 CVE-2023-39360 CVE-2023-39361 CVE-2023-39362 
                 CVE-2023-39364 CVE-2023-39365 CVE-2023-39513 CVE-2023-39515 
                 CVE-2023-39516 CVE-2023-49084 CVE-2023-49085 CVE-2023-49086 
                 CVE-2023-49088
Debian Bug     : 1059254

Multiple vulnerabilities were found in Cacti, a network monitoring
system. An attacker could manipulate the database, execute code
remotely, launch DoS (denial-of-service) attacks or impersonate Cacti
users, in some situations.

CVE-2023-39357

    When the column type is numeric, the sql_save function directly
    utilizes user input. Many files and functions calling the sql_save
    function do not perform prior validation of user input, leading to
    the existence of multiple SQL injection vulnerabilities in
    Cacti. This allows authenticated users to exploit these SQL
    injection vulnerabilities to perform privilege escalation and
    remote code execution.

CVE-2023-39360

    Stored Cross-Site-Scripting (XSS) Vulnerability allows an
    authenticated user to poison data. The vulnerability is found in
    `graphs_new.php`. Several validations are performed, but the
    `returnto` parameter is directly passed to `form_save_button`. In
    order to bypass this validation, returnto must contain `host.php`.

CVE-2023-39361

    SQL injection discovered in graph_view.php. Since guest users can
    access graph_view.php without authentication by default, if guest
    users are being utilized in an enabled state, there could be the
    potential for significant damage. Attackers may exploit this
    vulnerability, and there may be povssibilities for actions such as
    the usurpation of administrative privileges or remote code
    execution.

CVE-2023-39362

    An authenticated privileged user, can use a malicious string in
    the SNMP options of a Device, performing command injection and
    obtaining remote code execution on the underlying server. The
    `lib/snmp.php` file has a set of functions, with similar behavior,
    that accept in input some variables and place them into an `exec`
    call without a proper escape or validation.

CVE-2023-39364

    Users with console access can be redirected to an arbitrary
    website after a change password performed via a specifically
    crafted URL. The `auth_changepassword.php` file accepts `ref` as a
    URL parameter and reflects it in the form used to perform the
    change password. It's value is used to perform a redirect via
    `header` PHP function. A user can be tricked in performing the
    change password operation, e.g., via a phishing message, and then
    interacting with the malicious website where the redirection has
    been performed, e.g., downloading malwares, providing credentials,
    etc.

CVE-2023-39365

    Issues with Cacti Regular Expression validation combined with the
    external links feature can lead to limited SQL Injections and
    subsequent data leakage.

CVE-2023-39513

    Stored Cross-Site-Scripting (XSS) Vulnerability which allows an
    authenticated user to poison data stored in the _cacti_'s
    database. The script under `host.php` is used to monitor and
    manage hosts in the _cacti_ app, hence displays useful information
    such as data queries and verbose logs.

CVE-2023-39515

    Stored Cross-Site-Scripting (XSS) Vulnerability allows an
    authenticated user to poison data stored in the cacti's
    database. These data will be viewed by administrative cacti
    accounts and execute JavaScript code in the victim's browser at
    view-time. The script under `data_debug.php` displays data source
    related debugging information such as _data source paths, polling
    settings, meta-data on the data source.

CVE-2023-39516

    Stored Cross-Site-Scripting (XSS) Vulnerability which allows an
    authenticated user to poison data stored in the _cacti_'s
    database. These data will be viewed by administrative _cacti_
    accounts and execute JavaScript code in the victim's browser at
    view-time. The script under `data_sources.php` displays the data
    source management information (e.g. data source path, polling
    configuration etc.) for different data visualizations of the
    _cacti_ app.

CVE-2023-49084

    While using the detected SQL Injection and insufficient processing
    of the include file path, it is possible to execute arbitrary code
    on the server. Exploitation of the vulnerability is possible for
    an authorized user. The vulnerable component is the `link.php`.

CVE-2023-49085

    It is possible to execute arbitrary SQL code through the
    `pollers.php` script. An authorized user may be able to execute
    arbitrary SQL code. The vulnerable component is the `pollers.php`.

CVE-2023-49086

    Bypassing an earlier fix (CVE-2023-39360) that leads to a DOM XSS
    attack. Exploitation of the vulnerability is possible for an
    authorized user. The vulnerable component is the `graphs_new.php`.

CVE-2023-49088

    The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete
    as it enables an adversary to have a victim browser execute
    malicious code when a victim user hovers their mouse over the
    malicious data source path in `data_debug.php`.

For Debian 10 buster, these problems have been fixed in version
1.2.2+ds1-2+deb10u6.

We recommend that you upgrade your cacti packages.

For the detailed security status of cacti please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cacti

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmX4gD8ACgkQDTl9HeUl
XjBYcxAAmAYZrVh2A/WqKiYrOmjuBfrzZYoTsvHQ5vkFopsGmYxOX6UtiH2O0uCk
ECaq6eBEwUwkLz1DB8JP0CRoVGsRcs7aN9x0JUno+55/WfJ6BnxsBp7/0x/18IRx
FxbIrD4ndx2HhiU1KDzmsFNYo1usvY2AuoBU7HrWxmKculgb9Y1al4/K9PU2TKLY
D/J0jf1EAYQC8ieEd0bB4RocIbKUfgS/9Mzv+9zBZ0snpmnv+l1YmWTUbcI0lGsu
F8lw8Ap4AqE0SaPyj3PgkOAXAslcjQGTj2ZNbdL/8O38rJvyrA4KSnsvPOa2aJDH
3MHdYb6PyaCzuL7Yrp5hhAfQ41GDV1OomRAm7b9VZlDAu7nk2VGLG8hnCbVfZtay
+H7pPoONw3JMGL56ePNf1URjJgT3vwvseIL772BLnRVUpLM1NW+O0fTbxWf/uKbq
y51602YnA6jUByCqVrh1xRrx+gYR6QcS1ygcEkkA5qEFo/U2YorZn5JlSpZBPVM9
4fyPS2SKv/c+Dzq1Y+6dsihg55mVyB4cErn7HXPXhsExvkXE0fPXXlj86qvMX1Hd
xsAg5oCvBrIvPgYE7SGOKYfyhxihbkyWMLisXZBRWeW68CgQnOgV3GxpCl9IJIP4
CbhlOcW/+kXPU2aTEcVKf+8Wx/13ZG2C1kBjiQVdgtWxmRXXTIY=
=3CrP
-----END PGP SIGNATURE-----
Reply to:
Prev by Date: [SECURITY] [DLA 3764-1] postgresql-11 security update
Next by Date: [SECURITY] [DLA 3766-1] zfs-linux security update
Previous by thread: [SECURITY] [DLA 3764-1] postgresql-11 security update
Next by thread: [SECURITY] [DLA 3766-1] zfs-linux security update
Index(es):
- Date
- Thread