Debian DLA-2965-1 : cacti - LTS security update

critical Nessus Plugin ID 159321

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-2965 advisory.

- Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php. (CVE-2018-10060)

- Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used). (CVE-2018-10061)

- In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS. (CVE-2019-11025)

- In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs). (CVE-2020-13230)

- Multiple Cross Site Scripting (XSS) vulneratiblities exist in Cacti 1.2.12 in (1) reports_admin.php, (2) data_queries.php, (3) data_input.php, (4) graph_templates.php, (5) graphs.php, (6) reports_admin.php, and (7) data_input.php. (CVE-2020-23226)

- Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS). (CVE-2020-7106)

- Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the new_username field during creation of a new user via Copy method at user_admin.php.
(CVE-2021-23225)

- Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types.
(CVE-2022-0730)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the cacti packages.

For Debian 9 stretch, these problems have been fixed in version 0.8.8h+ds1-10+deb9u2.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926700

https://security-tracker.debian.org/tracker/source-package/cacti

https://www.debian.org/lts/security/2022/dla-2965

https://security-tracker.debian.org/tracker/CVE-2018-10060

https://security-tracker.debian.org/tracker/CVE-2018-10061

https://security-tracker.debian.org/tracker/CVE-2019-11025

https://security-tracker.debian.org/tracker/CVE-2020-13230

https://security-tracker.debian.org/tracker/CVE-2020-23226

https://security-tracker.debian.org/tracker/CVE-2020-7106

https://security-tracker.debian.org/tracker/CVE-2021-23225

https://security-tracker.debian.org/tracker/CVE-2022-0730

https://packages.debian.org/source/stretch/cacti

Plugin Details

Severity: Critical

ID: 159321

File Name: debian_DLA-2965.nasl

Version: 1.2

Type: local

Agent: unix

Published: 3/29/2022

Updated: 3/29/2022

Supported Sensors: Frictionless Assessment Agent, Nessus Agent

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2022-0730

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:cacti, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 3/29/2022

Vulnerability Publication Date: 4/12/2018

Reference Information

CVE: CVE-2018-10060, CVE-2018-10061, CVE-2019-11025, CVE-2020-7106, CVE-2020-13230, CVE-2020-23226, CVE-2021-23225, CVE-2022-0730