Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS : Cacti vulnerabilities (USN-6969-1)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-6969-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##

include('compat.inc');

if (description)
{
  script_id(206024);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/08/27");

  script_cve_id(
    "CVE-2024-25641",
    "CVE-2024-29894",
    "CVE-2024-31443",
    "CVE-2024-31444",
    "CVE-2024-31445",
    "CVE-2024-31458",
    "CVE-2024-31459",
    "CVE-2024-31460",
    "CVE-2024-34340"
  );
  script_xref(name:"USN", value:"6969-1");

  script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS : Cacti vulnerabilities (USN-6969-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS host has a package installed
that is affected by multiple vulnerabilities as referenced in the USN-6969-1 advisory.

    It was discovered that Cacti did not properly apply checks to the Package Import feature. An attacker
    could possibly use this issue to perform arbitrary code execution. This issue only affected Ubuntu 24.04
    LTS, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-25641)

    It was discovered that Cacti did not properly sanitize values when using javascript based API. A remote
    attacker could possibly use this issue to inject arbitrary javascript code resulting into cross-site
    scripting vulnerability. This issue only affected Ubuntu 24.04 LTS. (CVE-2024-29894)

    It was discovered that Cacti did not properly sanitize values when managing data queries. A remote
    attacker could possibly use this issue to inject arbitrary javascript code resulting into cross-site
    scripting vulnerability. (CVE-2024-31443)

    It was discovered that Cacti did not properly sanitize values when reading tree rules with Automation API.
    A remote attacker could possibly use this issue to inject arbitrary javascript code resulting into cross-
    site scripting vulnerability. (CVE-2024-31444)

    It was discovered that Cacti did not properly sanitize get_request_var('filter') values in the
    api_automation.php file. A remote attacker could possibly use this issue to perform SQL injection
    attacks. This issue only affected Ubuntu 24.04 LTS, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04
    LTS. (CVE-2024-31445)

    It was discovered that Cacti did not properly sanitize data stored in form_save() function in the
    graph_template_inputs.php file. A remote attacker could possibly use this issue to perform SQL injection
    attacks. (CVE-2024-31458)

    It was discovered that Cacti did not properly validate the file urls from the lib/plugin.php file. An
    attacker could possibly use this issue to perform arbitrary code execution. (CVE-2024-31459)

    It was discovered that Cacti did not properly validate the data stored in the automation_tree_rules.php.
    A remote attacker could possibly use this issue to perform SQL injection attacks. This issue only affected
    Ubuntu 24.04 LTS, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-31460)

    It was discovered that Cacti did not properly verify the user password. An attacker could possibly use
    this issue to bypass authentication mechanism. This issue only affected Ubuntu 24.04 LTS, Ubuntu 22.04
    LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-34360)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-6969-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected cacti package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-34340");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Cacti Import Packages RCE');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/05/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/08/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/08/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:24.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cacti");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2024 Canonical, Inc. / NASL script (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "ubuntu_pro_sub_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release || '16.04' >< os_release || '18.04' >< os_release || '20.04' >< os_release || '22.04' >< os_release || '24.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04 / 16.04 / 18.04 / 20.04 / 22.04 / 24.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var ubuntu_pro_detected = get_kb_item('Host/Ubuntu/Pro/Services/esm-apps');
ubuntu_pro_detected = !empty_or_null(ubuntu_pro_detected);

var pro_caveat_needed = FALSE;

var pkgs = [
    {'osver': '14.04', 'pkgname': 'cacti', 'pkgver': '0.8.8b+dfsg-5ubuntu0.2+esm2', 'ubuntu_pro': TRUE},
    {'osver': '16.04', 'pkgname': 'cacti', 'pkgver': '0.8.8f+ds1-4ubuntu4.16.04.2+esm2', 'ubuntu_pro': TRUE},
    {'osver': '18.04', 'pkgname': 'cacti', 'pkgver': '1.1.38+ds1-1ubuntu0.1~esm3', 'ubuntu_pro': TRUE},
    {'osver': '20.04', 'pkgname': 'cacti', 'pkgver': '1.2.10+ds1-1ubuntu1.1', 'ubuntu_pro': FALSE},
    {'osver': '22.04', 'pkgname': 'cacti', 'pkgver': '1.2.19+ds1-2ubuntu1.1', 'ubuntu_pro': FALSE},
    {'osver': '24.04', 'pkgname': 'cacti', 'pkgver': '1.2.26+ds1-1ubuntu0.1', 'ubuntu_pro': FALSE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var osver = NULL;
  var pkgname = NULL;
  var pkgver = NULL;
  if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
  if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
  if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
  var pro_required = NULL;
  if (!empty_or_null(package_array['ubuntu_pro'])) pro_required = package_array['ubuntu_pro'];
  if (osver && pkgname && pkgver) {
    if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) {
        flag++;
        if (!ubuntu_pro_detected && !pro_caveat_needed) pro_caveat_needed = pro_required;
    }
  }
}

if (flag)
{
  var extra = '';
  if (pro_caveat_needed) {
    extra += 'NOTE: This vulnerability check contains fixes that apply to packages only \n';
    extra += 'available in Ubuntu ESM repositories. Access to these package security updates \n';
    extra += 'require an Ubuntu Pro subscription.\n\n';
  }
  extra += ubuntu_report_get();
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : extra
  );
  exit(0);
}
else
{
  var tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cacti');
}