Debian dla-3765 : cacti - security update

critical Nessus Plugin ID 192197

Language:

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3765 advisory.

- ------------------------------------------------------------------------- Debian LTS Advisory DLA-3765-1 [email protected] https://www.debian.org/lts/security/ Sylvain Beucler March 18, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : cacti Version : 1.2.2+ds1-2+deb10u6 CVE ID : CVE-2023-39357 CVE-2023-39360 CVE-2023-39361 CVE-2023-39362 CVE-2023-39364 CVE-2023-39365 CVE-2023-39513 CVE-2023-39515 CVE-2023-39516 CVE-2023-49084 CVE-2023-49085 CVE-2023-49086 CVE-2023-49088 Debian Bug : 1059254

Multiple vulnerabilities were found in Cacti, a network monitoring system. An attacker could manipulate the database, execute code remotely, launch DoS (denial-of-service) attacks or impersonate Cacti users, in some situations.

CVE-2023-39357

When the column type is numeric, the sql_save function directly utilizes user input. Many files and functions calling the sql_save function do not perform prior validation of user input, leading to the existence of multiple SQL injection vulnerabilities in Cacti. This allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution.

CVE-2023-39360

Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data. The vulnerability is found in `graphs_new.php`. Several validations are performed, but the `returnto` parameter is directly passed to `form_save_button`. In order to bypass this validation, returnto must contain `host.php`.

CVE-2023-39361

SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an enabled state, there could be the potential for significant damage. Attackers may exploit this vulnerability, and there may be povssibilities for actions such as the usurpation of administrative privileges or remote code execution.

CVE-2023-39362

An authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server. The `lib/snmp.php` file has a set of functions, with similar behavior, that accept in input some variables and place them into an `exec` call without a proper escape or validation.

CVE-2023-39364

Users with console access can be redirected to an arbitrary website after a change password performed via a specifically crafted URL. The `auth_changepassword.php` file accepts `ref` as a URL parameter and reflects it in the form used to perform the change password. It's value is used to perform a redirect via `header` PHP function. A user can be tricked in performing the change password operation, e.g., via a phishing message, and then interacting with the malicious website where the redirection has been performed, e.g., downloading malwares, providing credentials, etc.

CVE-2023-39365

Issues with Cacti Regular Expression validation combined with the external links feature can lead to limited SQL Injections and subsequent data leakage.

CVE-2023-39513

Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. The script under `host.php` is used to monitor and manage hosts in the _cacti_ app, hence displays useful information such as data queries and verbose logs.

CVE-2023-39515

Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the cacti's database. These data will be viewed by administrative cacti accounts and execute JavaScript code in the victim's browser at view-time. The script under `data_debug.php` displays data source related debugging information such as _data source paths, polling settings, meta-data on the data source.

CVE-2023-39516

Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The script under `data_sources.php` displays the data source management information (e.g. data source path, polling configuration etc.) for different data visualizations of the
_cacti_ app.

CVE-2023-49084

While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `link.php`.

CVE-2023-49085

It is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the `pollers.php`.

CVE-2023-49086

Bypassing an earlier fix (CVE-2023-39360) that leads to a DOM XSS attack. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `graphs_new.php`.

CVE-2023-49088

The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete as it enables an adversary to have a victim browser execute malicious code when a victim user hovers their mouse over the malicious data source path in `data_debug.php`.

For Debian 10 buster, these problems have been fixed in version 1.2.2+ds1-2+deb10u6.

We recommend that you upgrade your cacti packages.

For the detailed security status of cacti please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/cacti

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the cacti packages.

Plugin Details

Severity: Critical

ID: 192197

File Name: debian_DLA-3765.nasl

Version: 1.2

Type: local

Agent: unix

Family: Debian Local Security Checks

Published: 3/18/2024

Updated: 1/22/2025

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-39361

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:cacti, cpe:/o:debian:debian_linux:10.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/18/2024

Vulnerability Publication Date: 9/5/2023

Exploitable With

Metasploit (Cacti RCE via SQLi in pollers.php)

Reference Information

CVE: CVE-2023-39357, CVE-2023-39360, CVE-2023-39361, CVE-2023-39362, CVE-2023-39364, CVE-2023-39365, CVE-2023-39513, CVE-2023-39515, CVE-2023-39516, CVE-2023-49084, CVE-2023-49085, CVE-2023-49086, CVE-2023-49088

Detections

Analytics