Red Hat Bugzilla – Bug 1082122
CVE-2014-2326 CVE-2014-2327 CVE-2014-2328 cacti: multiple flaws reported by Deutsche Telekom
Last modified: 2016-06-10 16:24:11 EDT
A posting to bugtraq from Deutsche Telekom  noted multiple flaws in Cacti 0.8.7g:
CVE-2014-2326: stored XSS
"The Cacti application is susceptible to stored XSS attacks. This is mainly the result of improper output encoding."
CVE-2014-2327: missing CSRF token
"The Cacti application does not implement any CSRF tokens. More about CSRF attacks, risks and mitigations see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF). This attack has a vast impact on the security of the Cacti application, as multiple configuration parameters can be changed using a CSRF attack. One very critical attack vector is the modification of several binary files in the Cacti configuration, which may then be executed on the server. This results in full compromise of the Cacti host by just clicking a web link. A proof of concept exploit has been developed, which allows this attack, resulting in full (system level) access of the Cacti system. Further attack scenarios include the modification of the Cacti configuration and adding arbitrary (admin) users to the application."
CVE-2014-2328: use of exec-like function calls without safety checks allow arbitrary command execution
"Cacti makes use of exec-like method PHP function calls, which execute command shell code without any safety checks in place. In combination with a CSRF weakness this can be triggered without the knowledge of the Cacti user. Also, for more elaborate attacks, this can be combined with a XSS attack. Such an attack will result in full system (Cacti host) access without any interaction or knowledge of the Cacti admin."
Unfortunately, they provided no further information, so it's impossible to know whether or not Cacti 0.8.8b, which is the version currently shipped in Fedora and EPEL, is affected by these flaws as there is no way to validate or test based on the above descriptions. Hopefully they provided further information to upstream, but as of yet there are no available patches upstream.
As a result I'm not filing any Fedora/EPEL trackers until we actually know what the flaws are. More worrisome is that they found these flaws in 0.8.7g but that version is about 3 years old...
Jeroen Roovers pointed out the following fixes in the Gentoo bug (https://bugs.gentoo.org/show_bug.cgi?id=506356):
CVE-2014-2326 Unspecified HTML Injection Vulnerability
CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
It looks like 0.8.8b in Fedora and EPEL are affected.
Created cacti tracking bugs for this issue:
Affects: fedora-all [bug 1082935]
Affects: epel-all [bug 1082936]
I've built cacti-0.8.8b-5 which contains upstream's patches from SVN to resolve CVE-2014-2326 and CVE-2014-2328.
On Friday Tony Roman <firstname.lastname@example.org> wrote at
"As for CVE-2014-2327 Cross Site Request Forgery Vulnerability, I'm still
working on a solution. I have some limited time this weekend to work on
this fix. But I will be on the west coast for business this next week
and will have time at night to work on this fix."
Since this is up in the air, I'm just going to push what we have in cacti-0.8.8b-5.
cacti-0.8.8b-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
cacti-0.8.8b-5.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
cacti-0.8.8b-5.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
cacti-0.8.8b-5.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
cacti-0.8.8b-5 is now in the stable repos. CVE-2014-2326 and CVE-2014-2328 are resolved.
There is still no fix available for CVE-2014-2327.
(In reply to Ken Dreyer from comment #8)
> There is still no fix available for CVE-2014-2327.
Latest version 0.8.8c seems to have fixed this issue.
Could you please push an update?