Bug 1082122 (CVE-2014-2326, CVE-2014-2327, CVE-2014-2328)

Summary: CVE-2014-2326 CVE-2014-2327 CVE-2014-2328 cacti: multiple flaws reported by Deutsche Telekom
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, gwync, ktdreyer, pj.pandit
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-10 20:24:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1082935, 1082936    
Bug Blocks:    

Description Vincent Danen 2014-03-28 17:35:53 UTC 
A posting to bugtraq from Deutsche Telekom [1] noted multiple flaws in Cacti 0.8.7g:

CVE-2014-2326: stored XSS
"The Cacti application is susceptible to stored XSS attacks. This is mainly the result of improper output encoding."

CVE-2014-2327: missing CSRF token
"The Cacti application does not implement any CSRF tokens. More about CSRF attacks, risks and mitigations see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF). This attack has a vast impact on the security of the Cacti application, as multiple configuration parameters can be changed using a CSRF attack. One very critical attack vector is the modification of several binary files in the Cacti configuration, which may then be executed on the server. This results in full compromise of the Cacti host by just clicking a web link. A proof of concept exploit has been developed, which allows this attack, resulting in full (system level) access of the Cacti system. Further attack scenarios include the modification of the Cacti configuration and adding arbitrary (admin) users to the application."

CVE-2014-2328: use of exec-like function calls without safety checks allow arbitrary command execution
"Cacti makes use of exec-like method PHP function calls, which execute command shell code without any safety checks in place. In combination with a CSRF weakness this can be triggered without the knowledge of the Cacti user. Also, for more elaborate attacks, this can be combined with a XSS attack. Such an attack will result in full system (Cacti host) access without any interaction or knowledge of the Cacti admin."


Unfortunately, they provided no further information, so it's impossible to know whether or not Cacti 0.8.8b, which is the version currently shipped in Fedora and EPEL, is affected by these flaws as there is no way to validate or test based on the above descriptions.  Hopefully they provided further information to upstream, but as of yet there are no available patches upstream.

As a result I'm not filing any Fedora/EPEL trackers until we actually know what the flaws are.  More worrisome is that they found these flaws in 0.8.7g but that version is about 3 years old...

[1] http://www.securityfocus.com/archive/1/531588
Comment 1 Murray McAllister 2014-04-01 06:59:09 UTC 
Jeroen Roovers pointed out the following fixes in the Gentoo bug (https://bugs.gentoo.org/show_bug.cgi?id=506356):

CVE-2014-2326 Unspecified HTML Injection Vulnerability 
http://svn.cacti.net/viewvc?view=rev&revision=7443

CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
http://svn.cacti.net/viewvc?view=rev&revision=7442

It looks like 0.8.8b in Fedora and EPEL are affected.
Comment 2 Murray McAllister 2014-04-01 07:01:13 UTC 
Created cacti tracking bugs for this issue:

Affects: fedora-all [bug 1082935]
Affects: epel-all [bug 1082936]
Comment 3 Ken Dreyer 2014-04-08 00:18:39 UTC 
I've built cacti-0.8.8b-5 which contains upstream's patches from SVN to resolve CVE-2014-2326 and CVE-2014-2328.

On Friday Tony Roman <troman> wrote at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768:

  "As for CVE-2014-2327 Cross Site Request Forgery Vulnerability, I'm still
  working on a solution.  I have some limited time this weekend to work on
  this fix.  But I will be on the west coast for business this next week
  and will have time at night to work on this fix."

Since this is up in the air, I'm just going to push what we have in cacti-0.8.8b-5.
Comment 4 Fedora Update System 2014-04-17 06:00:27 UTC 
cacti-0.8.8b-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-04-17 06:03:27 UTC 
cacti-0.8.8b-5.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-05-08 22:00:54 UTC 
cacti-0.8.8b-5.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-05-08 22:03:20 UTC 
cacti-0.8.8b-5.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Ken Dreyer 2014-05-08 22:29:28 UTC 
cacti-0.8.8b-5 is now in the stable repos. CVE-2014-2326 and CVE-2014-2328 are resolved.

There is still no fix available for CVE-2014-2327.
Comment 9 pjp 2014-12-10 03:39:57 UTC 
  Hello Ken,

(In reply to Ken Dreyer from comment #8)
> There is still no fix available for CVE-2014-2327.

Latest version 0.8.8c seems to have fixed this issue.

  -> http://cacti.net/changelog.php

Could you please push an update?