Bug 595289 - CVE-2010-1644 CVE-2010-1645 CVE-2010-2092 Cacti v0.8.7f - three security fixes
CVE-2010-1644 CVE-2010-1645 CVE-2010-2092 Cacti v0.8.7f - three security fixes
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
http://www.cacti.net/release_notes_0_...
impact=important,source=debian,report...
: Security
Depends On: CVE-2010-2092/MOPS-2010-023 CVE-2010-1644 595304 BONSAI-2010-0105/CVE-2010-1645
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-24 06:00 EDT by Jan Lieskovsky
Modified: 2013-01-13 07:42 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-29 09:21:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-05-24 06:00:38 EDT
Cacti upstream has released:
  [1] http://www.cacti.net/release_notes_0_8_7f.php

latest v0.8.7 version, addressing three security flaws:
  [A], MOPS-2010-023: Cacti Graph Viewer SQL Injection Vulnerability
         [2] http://php-security.org/2010/05/13/mops-2010-023-cacti-graph-viewer-sql-injection-vulnerability/index.html
         [3] http://www.vupen.com/english/advisories/2010/1204

       Credit: The vulnerability was discovered by Stefan Esser as part
               of the SQL Injection Marathon.
       Upstream changeset:
         [4] http://svn.cacti.net/viewvc?view=rev&revision=5920

  [B], Cross-site scripting issues reported by VUPEN Security 
       (http://www.vupen.com)
         [5] http://www.vupen.com/english/advisories/2010/1203

       Credit: Vulnerabilities reported by Mohammed Boumediane
               (VUPEN Security).
       Upstream changeset:
         [6] http://svn.cacti.net/viewvc?view=rev&revision=5901

  [C], SQL injection and shell escaping issues reported by Bonsai
       Information Security (http://www.bonsai-sec.com)
       [7] http://www.bonsai-sec.com/blog/index.php/using-grep-to-find-0days/
       [8] http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-os-command-injection-0105.php

     Credit: This vulnerability was discovered by Nahuel Grisolia
             ( nahuel -at- bonsai-sec.com )
     Upstream changeset:
       [9] http://svn.cacti.net/viewvc?view=rev&revision=5747
             
If a logged Cacti user was tricked into visiting a specially-crafted Web page, it could lead to:
i,   unauthorized arbitrary database data dislosure (vulnerability [A],
     from [2]),
ii,  unauthorized arbitrary scripting code execution (vulnerability [B],
     from [5]),
iii, execution of unintended commands or accessing unauthorized data. 
     (vulnerability [C], from [8]).

CVE Request:
  [10] http://www.openwall.com/lists/oss-security/2010/05/24/1
Comment 1 Jan Lieskovsky 2010-05-24 06:04:10 EDT
Vulnerabilities [A] and [B] affect the current versions of the cacti
package, as shipped with Fedora release of 11 and 12 (flaw [C] is
already fixed).

Vulnerabilities [A] and [B] affect the current versions of the cacti
package, as shipped within EPEL-4 and EPEL-5 repositories (flaw [C]
is already fixed).

Please fix / rebase.
Comment 3 Fedora Update System 2010-05-24 12:37:22 EDT
cacti-0.8.7f-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/cacti-0.8.7f-1.el5
Comment 4 Fedora Update System 2010-05-24 12:37:27 EDT
cacti-0.8.7f-1.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/cacti-0.8.7f-1.el4
Comment 5 Fedora Update System 2010-05-24 12:37:31 EDT
cacti-0.8.7f-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/cacti-0.8.7f-1.fc11
Comment 6 Fedora Update System 2010-05-24 12:37:35 EDT
cacti-0.8.7f-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/cacti-0.8.7f-1.fc12
Comment 7 Fedora Update System 2010-05-24 12:37:40 EDT
cacti-0.8.7f-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/cacti-0.8.7f-1.fc13
Comment 8 Tomas Hoger 2010-05-25 06:44:35 EDT
(In reply to comment #0)

>   [C], SQL injection and shell escaping issues reported by Bonsai
>        Information Security (http://www.bonsai-sec.com)

...

>      Upstream changeset:
>        [9] http://svn.cacti.net/viewvc?view=rev&revision=5747

That only seems to be a fix for SQL injection issue that is already known as BONSAI-2010-0104 / CVE-2010-1431 (see bug #585401):

http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-sql-injection-0104.php


While BONSAI-2010-0105 is about shell command injection:

http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-os-command-injection-0105.php

and is more likely related to the following commits:

http://svn.cacti.net/viewvc?view=rev&revision=5778
http://svn.cacti.net/viewvc?view=rev&revision=5782
http://svn.cacti.net/viewvc?view=rev&revision=5784
Comment 9 Fedora Update System 2010-05-25 14:36:46 EDT
cacti-0.8.7f-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2010-05-25 14:39:39 EDT
cacti-0.8.7f-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2010-05-25 14:43:16 EDT
cacti-0.8.7f-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2010-05-25 20:01:31 EDT
cacti-0.8.7f-1.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2010-05-25 20:02:03 EDT
cacti-0.8.7f-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Jan Lieskovsky 2010-06-01 04:02:07 EDT
Issue [A] is CVE-2010-2092:
============================
  SQL injection vulnerability in graph.php in Cacti 0.8.7e and earlier
allows remote attackers to execute arbitrary SQL commands via the
rra_id parameter in a GET request in conjunction with a valid rra_id
value in a POST request or a cookie, which bypasses the validation
routine.

  References:
    [1] http://php-security.org/2010/05/13/mops-2010-023-cacti-graph-viewer-sql-injection-vulnerability/index.html
    [2] http://www.cacti.net/changelog.php

Issue [B] is CVE-2010-1644.
===========================

Issue [C] (shell command injection) is CVE-2010-1645:
=====================================================
  References:
    [3]  http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-os-command-injection-0105.php

  Proper patches:
    [4] http://svn.cacti.net/viewvc?view=rev&revision=5778
    [5] http://svn.cacti.net/viewvc?view=rev&revision=5782
    [6] http://svn.cacti.net/viewvc?view=rev&revision=5784

The SQL injection issue of [C] is BONSAI-2010-0104 / CVE-2010-1431
(see bug #585401).
Comment 15 Jan Lieskovsky 2010-06-01 04:30:41 EDT
Cacti upstream warning about regressions in Cacti v0.8.7f and information
about public availability of new version, Cacti v0.8.7g, which should
address / overcome them (will be available on June the 7-th, 2010):

  [1] http://forums.cacti.net/viewtopic.php?t=37845
Comment 16 Jan Lieskovsky 2010-06-01 04:38:55 EDT
More issue details and public PoCs for CVE-2010-1645 os-command-injection
issue (from BONSAI-2010-0105):

8.1 OS Command Injection

CVSSv2 Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)

Cacti is prone to a remote command execution vulnerability because the software fails to adequately sanitize user-suplied input. Successful attacks can compromise the affected software and possibly the operating system running Cacti.

The vulnerability can be triggered by any user doing:

1) Edit or Create a Device with FQDN ‘NotARealIPAddress;CMD;’ (without single quotes) and Save it. Edit the Device again and reload any data query already created. CMD will be executed with Web Server rights.

2) Edit or Create a Graph Template and use as Vertical Label ‘BonsaiSecLabel";CMD; "’ (without single quotes) and Save it. Go to Graph Management section and Select it. CMD will be executed with Web Server rights. Note that other properties of a Graph Template might also be affected.
Comment 17 Tomas Hoger 2010-06-29 07:20:13 EDT
Removing aliases, this needs to be split.
Comment 18 Tomas Hoger 2010-06-29 09:21:57 EDT
Closing this, each issue has separate bug now (see dependency tree).

Note You need to log in before you can comment on or make changes to this bug.