Bug 21242 - cacti new security issues CVE-2017-10970, CVE-2017-11163, CVE-2017-11691, and CVE-2017-1206[56]
Summary: cacti new security issues CVE-2017-10970, CVE-2017-11163, CVE-2017-11691, and...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: has_procedure advisory mga6-64-ok
Keywords: validated_update
Depends on:
Blocks: 20211
  Show dependency treegraph
 
Reported: 2017-07-14 22:20 CEST by David Walser
Modified: 2017-08-14 00:20 CEST (History)
2 users (show)

See Also:
Source RPM: cacti-1.0.4-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-07-14 22:20:23 CEST
Fedora has issued an advisory on July 14:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7MRJCGVNDLW7RCTYSL72XGP74PCMOIH2/

Mageia 6 is also affected.  Mageia 5 is not affected.

The issue is fixed upstream in this commit:
https://github.com/Cacti/cacti/commit/3381cba6a9e36b01ed0ab0acfd41b00487966cb5
David Walser 2017-07-14 22:20:30 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2017-07-15 20:04:00 CEST
Also fixed in 1.1.13:
https://www.cacti.net/release_notes.php?version=1.1.13
Comment 2 David Walser 2017-07-27 12:18:34 CEST
1.1.14 fixes an XSS issue as well:
https://www.cacti.net/release_notes.php?version=1.1.14

It has been assigned CVE-2017-11691:
http://openwall.com/lists/oss-security/2017/07/27/1

The upstream commit to fix that issue is linked in the message above.

Summary: cacti new security issue CVE-2017-10970 => cacti new security issues CVE-2017-10970 and CVE-2017-11691

Comment 3 David Walser 2017-08-09 02:35:35 CEST
1.1.16 has been released on July 29:
https://www.cacti.net/release_notes.php?version=1.1.16

Apparently it fixes CVE-2017-12065 and CVE-2017-12066.

Fedora has issued an advisory for this on August 7:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QN75M6HGIKEEX7HYFWHIO6IYDB5RXFP6/

Summary: cacti new security issues CVE-2017-10970 and CVE-2017-11691 => cacti new security issues CVE-2017-10970, CVE-2017-11691, and CVE-2017-1206[56]
Severity: normal => critical

Comment 4 David Walser 2017-08-09 02:52:15 CEST
Apparently 1.1.13 also fixed CVE-2017-11163.

openSUSE has issued an advisory for this today (August 8):
https://lists.opensuse.org/opensuse-updates/2017-08/msg00018.html

Summary: cacti new security issues CVE-2017-10970, CVE-2017-11691, and CVE-2017-1206[56] => cacti new security issues CVE-2017-10970, CVE-2017-11163, CVE-2017-11691, and CVE-2017-1206[56]

Comment 5 Nicolas Lécureuil 2017-08-11 00:13:47 CEST
fixed on cauldron

Version: Cauldron => 6
CC: (none) => mageia
Whiteboard: MGA6TOO => (none)

Comment 6 Nicolas Lécureuil 2017-08-11 00:16:04 CEST
Pushed in updates_testing for mageia6
src.rpm:
        cacti-1.1.16-1.mga6

Assignee: luis.daniel.lucio => qa-bugs

Comment 7 David Walser 2017-08-11 00:37:11 CEST
Procedure in bug 13930.  Mageia 5 also needs to be updated.  That can be handled in Bug 20211.

Advisory:
========================

Updated cacti package fixes security vulnerabilities:

Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows
remote anonymous users to inject arbitrary web script or HTML via the id
parameter, related to the die_html_input_error function in
lib/html_validate.php (CVE-2017-10970).

Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti
1.1.12 allows remote authenticated users to inject arbitrary web script or HTML
via specially crafted HTTP Referer headers, related to the $cancel_url
variable (CVE-2017-11163).

A Cross-site scripting vulnerability exists in cacti before 1.1.14 in the user
profile managment page (auth_profile.php), allowing inject arbitrary web script
or HTML via specially crafted HTTP Referer headers (CVE-2017-11691).

spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute
arbitrary code via the avgnan, outlier-start, or outlier-end parameter
(CVE-2017-12065).

Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti
before 1.1.16 allows remote authenticated users to inject arbitrary web script
or HTML via specially crafted HTTP Referer headers, related to the $cancel_url
variable (CVE-2017-12066).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11691
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12065
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12066
https://www.cacti.net/changelog.php
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7MRJCGVNDLW7RCTYSL72XGP74PCMOIH2/
http://openwall.com/lists/oss-security/2017/07/27/1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QN75M6HGIKEEX7HYFWHIO6IYDB5RXFP6/
https://lists.opensuse.org/opensuse-updates/2017-08/msg00018.html
========================

Updated packages in core/updates_testing:
========================
cacti-1.1.16-1.mga6

from cacti-1.1.16-1.mga6.src.rpm

Whiteboard: (none) => has_procedure
Blocks: (none) => 20211

Comment 8 Nicolas Lécureuil 2017-08-11 00:57:42 CEST
pushed in mga5 too
Lewis Smith 2017-08-13 10:26:14 CEST

Whiteboard: has_procedure => has_procedure advisory

Comment 9 claire robinson 2017-08-13 23:27:45 CEST
Testing complete mga6 64 & validating

Bit of a pain to test. It requires tzdata installing in mysql and 'privileges granting to it for cacti. See..

https://github.com/Cacti/cacti/issues/361

Also password restrictions exist on the mysql user for cacti and cacti admin user after install, forcing complex passwords.

Cacti reports one requirement at a time making you jump through hoops but it basically needs to be 8 characters with a mix of caps/non caps and one special character.

Appears to work ok, was able to produce empty graphs so didn't leave it running.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: has_procedure advisory => has_procedure advisory mga6-64-ok

Comment 10 claire robinson 2017-08-13 23:40:31 CEST
Also requires more or less..
chown -R apache:apache /usr/share/cacti

..during installation
Comment 11 claire robinson 2017-08-13 23:55:05 CEST
Oh, and a number in the password.
Comment 12 David Walser 2017-08-14 00:08:38 CEST
(In reply to claire robinson from comment #10)
> Also requires more or less..
> chown -R apache:apache /usr/share/cacti
> 
> ..during installation

Sounds like something that should be fixed in the package.

Something like:
-%{_datadir}/%{name}
+%attr(-,apache,apache) %{_datadir}/%{name}
Comment 13 claire robinson 2017-08-14 00:14:21 CEST
Yeah, i'll create a bug for it. This was from the release version, presumably similar in this update though. /usr/share/cacti/* may be too much so will need to be checked more thoroughly by someone who knows it.
Comment 14 Mageia Robot 2017-08-14 00:20:22 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0267.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.