Bug 20211 - cacti new security issues CVE-2014-4000 and CVE-2016-2313
Summary: cacti new security issues CVE-2014-4000 and CVE-2016-2313
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: advisory, feedback, has_procedure
Depends on: 21565 21242
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-30 11:21 CET by David Walser
Modified: 2017-12-29 17:07 CET (History)
4 users (show)

See Also:
Source RPM: cacti-0.8.8h-1.mga6.src.rpm
CVE:
Status comment: CVE-2014-4000 CVE-2016-2313


Attachments
patch (705 bytes, patch)
2017-12-01 20:08 CET, PC LX
Details | Diff

Description David Walser 2017-01-30 11:21:39 CET
Cacti 1.0.0 has been released on January 29, fixing some security issues:
http://www.cacti.net/release_notes_1_0_0.php

Besides the two CVEs, there's also an "OS Command Injection" bug fixed at least.

Mageia 5 is also affected.
David Walser 2017-01-30 11:21:49 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-01-30 12:10:09 CET
Assigning to the registered maintainer

Assignee: bugsquad => luis.daniel.lucio
CC: (none) => marja11

Comment 2 David Walser 2017-03-08 02:39:22 CET
Fedora has issued an advisory for this today (March 7), upgrading to 1.0.4:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KXQSKIWLOIC43UIJWWXDT2AZYFZQW4GY/
Nicolas Lécureuil 2017-04-24 21:54:47 CEST

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)
CC: (none) => mageia
Status comment: (none) => CVE-2014-4000 CVE-2016-2313

Comment 3 David Walser 2017-07-26 12:37:52 CEST
1.1.14 fixes an XSS issue as well:
https://www.cacti.net/release_notes.php?version=1.1.14
David Walser 2017-08-11 00:37:11 CEST

Depends on: (none) => 21242

Comment 4 David Walser 2017-08-11 00:55:35 CEST
Procedure in bug 13930.  Advisory for upcoming update below.

Advisory:
========================

Updated cacti package fixes security vulnerabilities:

PHP Object Injection Vulnerabilities (CVE-2014-4000).

Accessing cacti using a user name not the cacti database fills the log with
database error messages and allows complete access to everything, including the
user administration pages. The bug is in auth_login.php which fails to check
the query actually found any data or not (CVE-2016-2313).

Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows
remote anonymous users to inject arbitrary web script or HTML via the id
parameter, related to the die_html_input_error function in
lib/html_validate.php (CVE-2017-10970).

Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti
1.1.12 allows remote authenticated users to inject arbitrary web script or HTML
via specially crafted HTTP Referer headers, related to the $cancel_url
variable (CVE-2017-11163).

A Cross-site scripting vulnerability exists in cacti before 1.1.14 in the user
profile managment page (auth_profile.php), allowing inject arbitrary web script
or HTML via specially crafted HTTP Referer headers (CVE-2017-11691).

spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute
arbitrary code via the avgnan, outlier-start, or outlier-end parameter
(CVE-2017-12065).

Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti
before 1.1.16 allows remote authenticated users to inject arbitrary web script
or HTML via specially crafted HTTP Referer headers, related to the $cancel_url
variable (CVE-2017-12066).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2313
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11691
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12065
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12066
https://github.com/Cacti/cacti/blob/develop/README.md
https://www.cacti.net/changelog.php
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7MRJCGVNDLW7RCTYSL72XGP74PCMOIH2/
http://openwall.com/lists/oss-security/2017/07/27/1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QN75M6HGIKEEX7HYFWHIO6IYDB5RXFP6/
https://lists.opensuse.org/opensuse-updates/2017-08/msg00018.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KXQSKIWLOIC43UIJWWXDT2AZYFZQW4GY/
========================

Updated packages in core/updates_testing:
========================
cacti-1.1.16-1.mga5

from cacti-1.1.16-1.mga5.src.rpm

Whiteboard: (none) => has_procedure

Comment 5 David Walser 2017-08-11 01:00:50 CEST
Advisory, procedure, and package list in Comment 4.

Assignee: luis.daniel.lucio => qa-bugs

David Walser 2017-08-18 23:59:33 CEST

Depends on: (none) => 21565

Comment 6 David Walser 2017-08-19 19:23:29 CEST
Package rebuilt with a fix for CVE-2017-12927.

Advisory:
========================

Updated cacti package fixes security vulnerabilities:

PHP Object Injection Vulnerabilities (CVE-2014-4000).

Accessing cacti using a user name not the cacti database fills the log with
database error messages and allows complete access to everything, including the
user administration pages. The bug is in auth_login.php which fails to check
the query actually found any data or not (CVE-2016-2313).

Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows
remote anonymous users to inject arbitrary web script or HTML via the id
parameter, related to the die_html_input_error function in
lib/html_validate.php (CVE-2017-10970).

Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti
1.1.12 allows remote authenticated users to inject arbitrary web script or HTML
via specially crafted HTTP Referer headers, related to the $cancel_url
variable (CVE-2017-11163).

A Cross-site scripting vulnerability exists in cacti before 1.1.14 in the user
profile managment page (auth_profile.php), allowing inject arbitrary web script
or HTML via specially crafted HTTP Referer headers (CVE-2017-11691).

spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute
arbitrary code via the avgnan, outlier-start, or outlier-end parameter
(CVE-2017-12065).

Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti
before 1.1.16 allows remote authenticated users to inject arbitrary web script
or HTML via specially crafted HTTP Referer headers, related to the $cancel_url
variable (CVE-2017-12066).

Cross-site scripting vulnerablity in cacti in spikekill.php via the method
parameter (CVE-2017-12927).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2313
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11691
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12065
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12066
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12927
https://github.com/Cacti/cacti/blob/develop/README.md
https://www.cacti.net/changelog.php
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7MRJCGVNDLW7RCTYSL72XGP74PCMOIH2/
http://openwall.com/lists/oss-security/2017/07/27/1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QN75M6HGIKEEX7HYFWHIO6IYDB5RXFP6/
https://lists.opensuse.org/opensuse-updates/2017-08/msg00018.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KXQSKIWLOIC43UIJWWXDT2AZYFZQW4GY/
http://openwall.com/lists/oss-security/2017/08/18/8
========================

Updated packages in core/updates_testing:
========================
cacti-1.1.16-1.1.mga5

from cacti-1.1.16-1.1.mga5.src.rpm
Lewis Smith 2017-08-25 15:49:56 CEST

CC: (none) => lewyssmith
Whiteboard: has_procedure => has_procedure advisory

Comment 7 Lewis Smith 2017-08-25 22:44:20 CEST
Trying M5/64

Having Cacti already installed & basically working, I updated directly to:
 cacti-1.1.16-2.mga5      [Note difference from Comment 6]
and used the system for some time before trying:
 http://localhost/cacti/
which ususally shows its login screen. Not this time. With Firefox, it just left the window blank. With Opera 12, it gave 'not found'.

So I reverted to: cacti-0.8.8f-1.5.mga5
 # urpmi --downgrade cacti
and tried again; that worked.
Updated once again to cacti-1.1.16-2.mga5, and that did *not* work - as indicated above. Setting 'feedback'.

Whiteboard: has_procedure advisory => has_procedure advisory feedback

Comment 8 Herman Viaene 2017-08-27 11:40:54 CEST
Confirm problem with new version. Found following in /var/log/httpd/error.log:
[Sun Aug 27 11:35:51.838542 2017] [:error] [pid 4483] [client 127.0.0.1:49110] PHP Parse error:  syntax error, unexpected ''FATAL: Connection to Cacti da' (T_CONSTANT_ENCAPSED_STRING) in /usr/share/cacti/include/global.php on line 217

CC: (none) => herman.viaene

Comment 9 Lewis Smith 2017-08-27 20:47:14 CEST
(In reply to Herman Viaene from comment #8)
> Confirm problem with new version.
Thanks Herman - and for the better information. I was going to ask on qa-discuss for a verification, as this seemed rather fundamental; no need now.
Comment 10 Samuel Verschelde 2017-09-06 15:07:27 CEST
Moving 'advisory', 'has_procedure' and 'feedback' from whiteboard to keywords now that madb has been updated to handle those keywords.

Keywords: (none) => advisory, feedback, has_procedure
Whiteboard: has_procedure advisory feedback => (none)

Comment 11 PC LX 2017-12-01 20:07:47 CET
Packaged installed but there is a bug in /usr/share/cacti/include/global.php
A "p" is missing at the start of the line 217.
Will attach patch.

CC: (none) => mageia

Comment 12 PC LX 2017-12-01 20:08:25 CET
Created attachment 9815 [details]
patch
Comment 13 David Walser 2017-12-01 20:33:29 CET
Does that bug affect the Mageia 6 package?  We're not going to push this update for Mageia 5.  Mageia 6 is in Bug 21565.
Comment 14 PC LX 2017-12-01 20:40:36 CET
After applying the patch the script worked and it was only a matter of doing the following steps.

1 - Edit the file /etc/cacti.conf and set password. Change the PASSWORD in the command to the password set in the config file. If more than the password is changed then the following commands may have to be adjusted accordingly.
2 - Create the database and user.
2.1 - mysqladmin -uroot -p create cacti
2.2 - mysql -uroot -p -e "grant all on cacti.* to 'cactiuser'@'localhost' identified by 'PASSWORD'"
2.3 - mysql -uroot -p -e "grant select on mysql.time_zone_name to 'cactiuser'@'localhost' identified by 'PASSWORD'"
2.4 - mysql -uroot -p cacti < /usr/share/cacti/sql/cacti.sql
3 - xdg-open http://localhost/cacti/
4 - Follow the setup wizard.
5 - If cacti complains about "MySQL TimeZone Support" error run the command at 5.1.
5.1 - mysql_tzinfo_to_sql /usr/share/zoneinfo/ | mysql -u root -p mysql
6 - Set "Cacti Log Path" to /usr/share/cacti/log/cacti.log

That did it for me.
Comment 15 PC LX 2017-12-01 21:03:39 CET
(In reply to David Walser from comment #13)
> Does that bug affect the Mageia 6 package?

Don't know.

> We're not going to push this update for Mageia 5.

Then shouldn't this bug be closed as "WONTFIX"?
Comment 16 David Walser 2017-12-01 21:05:37 CET
Please do check the Mageia 6 package, since this update candidate was based on it.  I was planning to close this bug soon, but I only thought of it this week and have been too busy.
Lewis Smith 2017-12-02 16:32:17 CET

CC: lewyssmith => (none)

Comment 17 David Walser 2017-12-29 17:07:05 CET
Last reminder to anyone who sees this to check and make sure the issue(s) affecting this package doesn't also affect Mageia 6.  Closing now.

Status: NEW => RESOLVED
Resolution: (none) => OLD


Note You need to log in before you can comment on or make changes to this bug.