Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DSA-5298.NASL
HistoryDec 10, 2022 - 12:00 a.m.

Debian DSA-5298-1 : cacti - security update

2022-12-1000:00:00
This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
17
JSON

The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-5298 advisory.

  • Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types.
    (CVE-2022-0730)

  • Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the remote_agent.php file. This file can be accessed without authentication. This function retrieves the IP address of the client via get_client_addr and resolves this IP address to the corresponding hostname via gethostbyaddr. After this, it is verified that an entry within the poller table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns true and the client is authorized.
    This authorization can be bypassed due to the implementation of the get_client_addr function. The function is defined in the file lib/functions.php and checks serval $_SERVER variables to determine the IP address of the client. The variables beginning with HTTP_ can be arbitrarily set by an attacker.
    Since there is a default entry in the poller table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header Forwarded-For: <TARGETIP>. This way the function get_client_addr returns the IP address of the server running Cacti. The following call to gethostbyaddr will resolve this IP address to the hostname of the server, which will pass the poller hostname check because of the default entry. After the authorization of the remote_agent.php file is bypassed, an attacker can trigger different actions. One of these actions is called polldata. The called function poll_for_data retrieves a few request parameters and loads the corresponding poller_item entries from the database. If the action of a poller_item equals POLLER_ACTION_SCRIPT_PHP, the function proc_open is used to execute a PHP script. The attacker-controlled parameter $poller_id is retrieved via the function get_nfilter_request_var, which allows arbitrary strings. This variable is later inserted into the string passed to proc_open, which leads to a command injection vulnerability. By e.g. providing the poller_id=;id the id command is executed. In order to reach the vulnerable call, the attacker must provide a host_id and local_data_id, where the action of the corresponding poller_item is set to POLLER_ACTION_SCRIPT_PHP. Both of these ids (host_id and local_data_id) can easily be bruteforced. The only requirement is that a poller_item with an POLLER_ACTION_SCRIPT_PHP action exists. This is very likely on a productive instance because this action is added by some predefined templates like Device - Uptime or Device - Polling Time. This command injection vulnerability allows an unauthenticated user to execute arbitrary commands if a poller_item with the action type POLLER_ACTION_SCRIPT_PHP (2) is configured. The authorization bypass should be prevented by not allowing an attacker to make get_client_addr (file lib/functions.php) return an arbitrary IP address. This could be done by not honoring the HTTP_... $_SERVER variables. If these should be kept for compatibility reasons it should at least be prevented to fake the IP address of the server running Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with 1.2.23 being the first release containing the patch. (CVE-2022-46169)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dsa-5298. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(168615);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/15");

  script_cve_id("CVE-2022-0730", "CVE-2022-46169");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2023/03/09");

  script_name(english:"Debian DSA-5298-1 : cacti - security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
  script_set_attribute(attribute:"description", value:
"The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the
dsa-5298 advisory.

  - Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types.
    (CVE-2022-0730)

  - Cacti is an open source platform which provides a robust and extensible operational monitoring and fault
    management framework for users. In affected versions a command injection vulnerability allows an
    unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was
    selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can
    be accessed without authentication. This function retrieves the IP address of the client via
    `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After
    this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the
    resolved hostname. If such an entry was found, the function returns `true` and the client is authorized.
    This authorization can be bypassed due to the implementation of the `get_client_addr` function. The
    function is defined in the file `lib/functions.php` and checks serval `$_SERVER` variables to determine
    the IP address of the client. The variables beginning with `HTTP_` can be arbitrarily set by an attacker.
    Since there is a default entry in the `poller` table with the hostname of the server running Cacti, an
    attacker can bypass the authentication e.g. by providing the header `Forwarded-For: <TARGETIP>`. This way
    the function `get_client_addr` returns the IP address of the server running Cacti. The following call to
    `gethostbyaddr` will resolve this IP address to the hostname of the server, which will pass the `poller`
    hostname check because of the default entry. After the authorization of the `remote_agent.php` file is
    bypassed, an attacker can trigger different actions. One of these actions is called `polldata`. The called
    function `poll_for_data` retrieves a few request parameters and loads the corresponding `poller_item`
    entries from the database. If the `action` of a `poller_item` equals `POLLER_ACTION_SCRIPT_PHP`, the
    function `proc_open` is used to execute a PHP script. The attacker-controlled parameter `$poller_id` is
    retrieved via the function `get_nfilter_request_var`, which allows arbitrary strings. This variable is
    later inserted into the string passed to `proc_open`, which leads to a command injection vulnerability. By
    e.g. providing the `poller_id=;id` the `id` command is executed. In order to reach the vulnerable call,
    the attacker must provide a `host_id` and `local_data_id`, where the `action` of the corresponding
    `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both of these ids (`host_id` and `local_data_id`) can
    easily be bruteforced. The only requirement is that a `poller_item` with an `POLLER_ACTION_SCRIPT_PHP`
    action exists. This is very likely on a productive instance because this action is added by some
    predefined templates like `Device - Uptime` or `Device - Polling Time`. This command injection
    vulnerability allows an unauthenticated user to execute arbitrary commands if a `poller_item` with the
    `action` type `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization bypass should be prevented
    by not allowing an attacker to make `get_client_addr` (file `lib/functions.php`) return an arbitrary IP
    address. This could be done by not honoring the `HTTP_...` `$_SERVER` variables. If these should be kept
    for compatibility reasons it should at least be prevented to fake the IP address of the server running
    Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with `1.2.23`
    being the first release containing the patch. (CVE-2022-46169)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008693");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/cacti");
  script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2022/dsa-5298");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-0730");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-46169");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bullseye/cacti");
  script_set_attribute(attribute:"solution", value:
"Upgrade the cacti packages.

For the stable distribution (bullseye), these problems have been fixed in version 1.2.16+ds1-2+deb11u1.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-0730");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-46169");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Cacti 1.2.22 unauthenticated command injection');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/03/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/12/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/12/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cacti");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);

var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(11)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);

var pkgs = [
    {'release': '11.0', 'prefix': 'cacti', 'reference': '1.2.16+ds1-2+deb11u1'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var _release = NULL;
  var prefix = NULL;
  var reference = NULL;
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (_release && prefix && reference) {
    if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : deb_report_get()
  );
  exit(0);
}
else
{
  var tested = deb_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cacti');
}
VendorProductVersionCPE
debiandebian_linuxcactip-cpe:/a:debian:debian_linux:cacti
debiandebian_linux11.0cpe:/o:debian:debian_linux:11.0

Related

debian 3
openvas 18
osv 5
nessus 8
zdt 2
fedora 10
amazon 2
nuclei 1
githubexploit 29
cnvd 1
ubuntucve 2
alpinelinux 2
freebsd 1
attackerkb 1
hivepro 1
cve 2
debiancve 2
cisa_kev 1
veracode 2
prion 2
rapid7blog 1
metasploit 1
packetstorm 2
zdi 1
suse 1
exploitdb 1
thn 2
debian
debian
[SECURITY] [DSA 5298-1] cacti security update
2022-12-09 19:25:47
[SECURITY] [DLA 3252-1] cacti security update
2022-12-31 09:27:10
[SECURITY] [DLA 2965-1] cacti security update
2022-03-29 21:34:31
openvas
openvas
Debian: Security Advisory (DSA-5298-1)
2022-12-11 00:00:00
Fedora: Security Advisory for cacti-spine (FEDORA-2023-d4085a681f)
2023-01-13 00:00:00
Fedora: Security Advisory for cacti (FEDORA-2023-788d505ddc)
2023-01-13 00:00:00
osv
osv
cacti - security update
2022-12-09 00:00:00
CVE-2022-46169
2022-12-05 21:15:10
cacti - security update
2022-12-31 00:00:00
nessus
nessus
Fedora 36 : cacti / cacti-spine (2023-d4085a681f)
2023-01-13 00:00:00
Debian DLA-3252-1 : cacti - LTS security update
2023-01-01 00:00:00
Amazon Linux AMI : cacti (ALAS-2023-1675)
2023-01-24 00:00:00
zdt
zdt
Cacti v1.2.22 - Remote Command Execution Exploit
2023-03-31 00:00:00
Cacti 1.2.22 Command Injection Exploit
2023-01-25 00:00:00
fedora
fedora
[SECURITY] Fedora 36 Update: cacti-spine-1.2.23-1.fc36
2023-01-13 01:21:30
[SECURITY] Fedora 37 Update: cacti-1.2.23-1.fc37
2023-01-13 01:32:05
[SECURITY] Fedora 37 Update: cacti-spine-1.2.23-1.fc37
2023-01-13 01:32:06
amazon
amazon
Critical: cacti
2023-01-19 20:10:00
Critical: cacti
2022-09-15 03:57:00
nuclei
nuclei
Cacti <=1.2.22 - Remote Command Injection
2022-12-23 12:35:53
githubexploit
githubexploit
Exploit for OS Command Injection in Cacti
2023-05-01 20:00:23
Exploit for OS Command Injection in Cacti
2023-05-12 01:20:15
Exploit for OS Command Injection in Cacti
2023-02-02 18:21:08
cnvd
cnvd
Cacti has a command execution vulnerability
2023-02-22 00:00:00
ubuntucve
ubuntucve
CVE-2022-46169
2022-12-05 00:00:00
CVE-2022-0730
2022-03-03 00:00:00
alpinelinux
alpinelinux
CVE-2022-46169
2022-12-05 21:15:00
CVE-2022-0730
2022-03-03 23:15:00
freebsd
freebsd
net-mgmt/cacti is vulnerable to remote command injection
2022-12-05 00:00:00
attackerkb
attackerkb
CVE-2022-46169
2022-12-05 00:00:00
hivepro
hivepro
The Vulnerability Discovered in the Cacti Open-Source RRD tool
2023-01-16 10:56:28
cve
cve
CVE-2022-46169
2022-12-05 21:15:00
CVE-2022-0730
2022-03-03 23:15:00
debiancve
debiancve
CVE-2022-46169
2022-12-05 21:15:00
CVE-2022-0730
2022-03-03 23:15:00
cisa_kev
cisa_kev
Cacti Command Injection Vulnerability
2023-02-16 00:00:00
veracode
veracode
Command Injection
2022-12-15 01:51:41
Authentication Bypass
2022-03-30 23:20:19
prion
prion
Command injection
2022-12-05 21:15:00
Authentication flaw
2022-03-03 23:15:00
rapid7blog
rapid7blog
Metasploit Weekly Wrap-Up
2023-01-27 21:17:01
metasploit
metasploit
Cacti 1.2.22 unauthenticated command injection
2022-12-22 15:55:45
packetstorm
packetstorm
Cacti 1.2.22 Remote Command Execution
2023-03-31 00:00:00
Cacti 1.2.22 Command Injection
2023-01-24 00:00:00
zdi
zdi
Cacti poll_for_data Command Injection Remote Code Execution Vulnerability
2023-01-31 00:00:00
suse
suse
Security update for cacti, cacti-spine (moderate)
2022-05-24 00:00:00
exploitdb
exploitdb
Cacti v1.2.22 - Remote Command Execution (RCE)
2023-03-31 00:00:00
thn
thn
Cacti Servers Under Attack as Majority Fail to Patch Critical Vulnerability
2023-01-14 08:11:00
Cacti, Realtek, and IBM Aspera Faspex Vulnerabilities Under Active Exploitation
2023-04-01 04:51:00
JSON
Related for DEBIAN_DSA-5298.NASL
debian3openvas18osv5nessus8zdt2fedora10amazon2nuclei1githubexploit29cnvd1ubuntucve2alpinelinux2freebsd1attackerkb1hivepro1cve2debiancve2cisa_kev1veracode2prion2rapid7blog1metasploit1packetstorm2zdi1suse1exploitdb1thn2