Bug 21565 - cacti new security issues CVE-2017-12927 and CVE-2017-12978
Summary: cacti new security issues CVE-2017-12927 and CVE-2017-12978
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: advisory, feedback, has_procedure
Depends on:
Blocks: 20211 21525
  Show dependency treegraph
 
Reported: 2017-08-18 23:59 CEST by David Walser
Modified: 2017-09-07 15:14 CEST (History)
4 users (show)

See Also:
Source RPM: cacti-1.1.16-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-08-18 23:59:14 CEST
A security issue fixed upstream in cacti has been announced:
http://openwall.com/lists/oss-security/2017/08/18/8

The commit that fixed the issue is linked in the message above.  The fix will be included in 1.1.18.

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-08-18 23:59:33 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO
Blocks: (none) => 20211

Comment 1 David Walser 2017-08-19 00:09:49 CEST
See also a bug in the package.

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=21525

Comment 2 Marja van Waes 2017-08-19 07:42:51 CEST
Assigning to the registered maintainer.

Assignee: bugsquad => luis.daniel.lucio
CC: (none) => marja11

Comment 3 Nicolas Lécureuil 2017-08-19 18:40:05 CEST
pushed in updates_testing
src.rpm:
        cacti-1.1.16-1.1.mga6
        cacti-1.1.16-1.1.mga5

CC: (none) => mageia
Assignee: luis.daniel.lucio => qa-bugs

Comment 4 David Walser 2017-08-19 19:24:02 CEST
Procedure in bug 13930.  Mageia 5 update is in Bug 20211.

Advisory:
========================

Updated cacti package fixes security vulnerability:

Cross-site scripting vulnerablity in cacti in spikekill.php via the method
parameter (CVE-2017-12927).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12927
http://openwall.com/lists/oss-security/2017/08/18/8
========================

Updated packages in core/updates_testing:
========================
cacti-1.1.16-1.1.mga6

from cacti-1.1.16-1.1.mga6.src.rpm

Whiteboard: MGA6TOO, MGA5TOO => has_procedure
Version: Cauldron => 6

David Walser 2017-08-22 18:45:07 CEST

Blocks: (none) => 21525
See Also: https://bugs.mageia.org/show_bug.cgi?id=21525 => (none)

Comment 5 Lewis Smith 2017-08-25 15:32:19 CEST
Prior to testing M6 x64.

 https://docs.cacti.net/manual:088:1_installation.1_install_unix
covers various aspects of configuring Apache, PHP, MySQL/MariaDB.
 https://docs.cacti.net/manual:088:1_installation.1_install_unix.5_install_and_configure_cacti
has cacti config details.

 https://bugs.mageia.org/show_bug.cgi?id=16202#c11
has a full setup procedure, but there is an important change: new Maria DB demands a much stiffer DB user password. Without finding the exact rules, I had to go from 'cactiuser' as far as 'cactiuser-Mageia6' before it worked.
Recapitulation follows:

* Our config file is: /etc/cacti.conf
in which the important pre-configured DB details are:
 $database_type     = 'mysql';
 $database_default  = 'cacti';
 $database_hostname = 'localhost';
 $database_username = 'cactiuser';
 $database_password = 'cactiuser';   *** Change this ***

* Create the Cacti database:
 $ mysqladmin -u root -p create cacti

* Populate it:
 $ mysql -p cacti < /usr/share/cacti/sql/cacti.sql
This takes a looong time.

* Create Cacti user with its DB password:
 $ mysql -u root -p
 mysql> GRANT ALL ON cacti.* TO cactiuser@localhost IDENTIFIED BY '<DBpassword>';
 mysql> flush privileges;
 mysql> quit;

Normally, http://localhost/cacti should launch you. This time I got "not found, 404". There is nothing Cacti in /var/www[/html]. To pursue. The MariaDB side looks all present & correct.

CC: (none) => lewyssmith

Lewis Smith 2017-08-25 15:39:54 CEST

Whiteboard: has_procedure => has_procedure advisory

Comment 6 David Walser 2017-08-25 17:08:58 CEST
There typically isn't anything in /var/www/html.  You'd have to look in /etc/httpd/conf.d and there should be a cacti file in there that would tell you the Alias, which gives you the last part of the URL and where on the filesystem the files it serves are located.
Comment 7 Lewis Smith 2017-08-30 12:33:18 CEST
Continuation of comment 5, M6/64 setup:
> Normally, http://localhost/cacti should launch you.
> This time I got "not found, 404".

Claire to the rescue!
Bug 21242 comments 9-11-10 + https://github.com/Cacti/cacti/issues/361

* Make http://localhost/cacti work:
 # chown -R apache:apache /usr/share/cacti
and on first use, it shows the installation page, not login. But before proceeding, finish the DB setup as follows:

* The enhanced DB user password: "needs to be 8 characters with a mix of caps/non caps and one special character ... and a number in the password"
so 'cactiuser-M6' would have sufficed.

* Add timezone table to MariaDB:
 $ cd /usr/share/mysql
 $ mysql -u root -p mysql < mysql_test_data_timezone.sql
 $ cd

* Grant access to the timezone table to Cacti (once cactiuser defined):
 $ mysql -u root -p mysql
 MariaDB [mysql]> GRANT SELECT ON mysql.time_zone_name TO cactiuser@localhost;
Query OK, 0 rows affected (0.00 sec)
 MariaDB [mysql]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

Now the Cacti setup:
"The following PHP extensions are recommended, and should be installed before continuing your Cacti install.
gmp      optional      NOT installed"       [presumably can add it later]

There were lots of things in red, but I left the original values.
Chose the default "New Primary Server" installation.

"Spine Binary File Location: The path to Spine binary."
 /usr/local/spine/bin/spine
is shown wrong, & not in /etc/cacti.conf
I could not find a 'spine' binary anywhere, and it is not provided:
 $ urpmq -l cacti | grep spine
 /usr/share/cacti/docs/html/unix_configure_spine.html
 /usr/share/cacti/docs/html/using_spine.html
so left it wrong.

"Cacti Log Path: The path to your Cacti log file."
 /usr/share/cacti/log/cacti.log
was marked wrong, & not in /etc/cacti.conf. I found the log file in
 /var/log/cacti/cacti.log so substituted that. Neede Next/Previous for the change to be noted.
However, the next page said "/usr/share/cacti/log is Not Writable", and had to leave that.

Clicked on the "Template Setup" page 'Local Linux Machine', but nothing seemed to happen.
Finish -> Login page. USE admin/admin' INITIALLY. It then immediately asks for a new password (for admin); type and *note* it!
At last logged in.
------------------
But I cannot create anything. I seem to have lost all templates along the way. Trying to re-do the install says it is already up to date. Stalled...
Comment 8 Herman Viaene 2017-08-30 14:24:39 CEST
MGA6-32 on Asus A6000VM MATE
No installation issues.
Using phpmyadmin created database cacti, user cactiuser, then at CLI
# mysql -p cacti < /usr/share/cacti/sql/cacti.sql
Enter password: 
OK
Checked that /usr/share/cacti is owned by apache: OK
# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 184
Server version: 10.1.26-MariaDB Mageia MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> GRANT ALL ON cacti.* TO cactiuser@localhost IDENTIFIED BY 'cactiuser_M6';
Query OK, 0 rows affected (0.02 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> quit
Bye
Made sure /etc/cacti.conf has correct password.
# cd /usr/share/mysql/
# mysql -u root -p mysql < mysql_test_data_timezone.sql
Enter password: 
OK
# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 186
Server version: 10.1.26-MariaDB Mageia MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> GRANT SELECT ON mysql.time_zone_name TO cactiuser@localhost;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> quit
Bye
Just to test that the cactiuser connects OK:
# mysql -u cactiuser -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 187
Server version: 10.1.26-MariaDB Mageia MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> quit

Then browser to http://localhost/cacti
result: 404

CC: (none) => herman.viaene

Comment 9 David Walser 2017-09-01 03:29:10 CEST
Fedora has issued an advisory today (August 31):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HANMMOMPF4H7JQO4Q5SC6RJLTMMB3KEG/

It fixes an additional security issue, CVE-2017-12928.

We should fix that as well here (and in the Mageia 5 update).

Whiteboard: has_procedure advisory => has_procedure advisory feedback
Summary: cacti new security issue CVE-2017-12927 => cacti new security issues CVE-2017-12927 and CVE-2017-12928

Comment 10 Lewis Smith 2017-09-05 11:57:26 CEST
Re Comment 9, are we to expect a new update?
Comment 11 David Walser 2017-09-05 12:05:48 CEST
(In reply to Lewis Smith from comment #10)
> Re Comment 9, are we to expect a new update?

Yes.
Frédéric Buclin 2017-09-06 16:09:02 CEST

Whiteboard: has_procedure advisory feedback => (none)
Keywords: (none) => advisory, feedback, has_procedure

Comment 12 David Walser 2017-09-07 15:14:16 CEST
(In reply to David Walser from comment #9)
> Fedora has issued an advisory today (August 31):
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/HANMMOMPF4H7JQO4Q5SC6RJLTMMB3KEG/
> 
> It fixes an additional security issue, CVE-2017-12928.

Oops, it's CVE-2017-12978.

Summary: cacti new security issues CVE-2017-12927 and CVE-2017-12928 => cacti new security issues CVE-2017-12927 and CVE-2017-12978


Note You need to log in before you can comment on or make changes to this bug.