Deutsche Telekom CERT Advisory [DTC-A-20140324-001] vulnerabilities in cacti

Deutsche Telekom CERT Advisory [DTC-A-20140324-001]

Summary:
Three vulnerabilities were found in cacti version 0.8.7g.

The vulnerabilities are:
1) Stored Cross-Site Scripting (XSS) (via URL)
2) Missing CSRF (Cross-Site Request Forgery) token allows execution of arbitrary commands
3) The use of exec-like function calls without safety checks allow arbitrary commands

At the moment we have no feedback regarding a patch from the developers.

Homepage: http://www.cacti.net/

Recommendations:
The developer has not fixed all vulnerabilities. Therefore the client systems used to login to Cacti should be isolated from each external network including internet connection over proxy server, to prevent any threats concerning the open vulnerabilities.

Details:
a) application
b) problem
c) CVSS
d) detailed description

a1) Cacti 0.8.7g [CVE-2014-2326]
b1) Stored Cross-Site Scripting (XSS) (via URL)
c1) CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
d1) The Cacti application is susceptible to stored XSS attacks. This is mainly the result of improper output encoding.

a2) Cacti 0.8.7g [CVE-2014-2327]
b2) Missing CSRF (Cross-Site Request Forgery) token allows execution of arbitrary commands
c2) CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
d2) The Cacti application does not implement any CSRF tokens. More about CSRF attacks, risks and mitigations see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF). This attack has a vast impact on the security of the Cacti application, as multiple configuration parameters can be changed using a CSRF attack. One very critical attack vector is the modification of several binary files in the Cacti configuration, which may then be executed on the server. This results in full compromise of the Cacti host by just clicking a web link. A proof of concept exploit has been developed, which allows this attack, resulting in full (system level) access of the Cacti system.
Further attack scenarios include the modification of the Cacti configuration and adding arbitrary (admin) users to the application.

a3) Cacti 0.8.7g [CVE-2014-2328]
b3) The use of exec-like function calls without safety checks allow arbitrary commands
c3) CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
d3) Cacti makes use of exec-like method PHP function calls, which execute command shell code without any safety checks in place. In combination with a CSRF weakness this can be triggered without the knowledge of the Cacti user. Also, for more elaborate attacks, this can be combined with a XSS attack. Such an attack will result in full system (Cacti host) access without any interaction or knowledge of the Cacti admin.

Deutsche Telekom CERT
Landgrabenweg 151, 53227 Bonn, Germany
+49 800 DTAG CERT (Tel.)
E-Mail: [email protected]
Life is for sharing.

Deutsche Telekom AG
Supervisory Board: Prof. Dr. Ulrich Lehner (Chairman)
Board of Management: Timotheus Hottges (Chairman),
Dr. Thomas Kremer, Reinhard Clemens, Niek Jan van Damme,
Thomas Dannenfeldt, Claudia Nemat, Prof. Dr. Marion Schick
Commercial register: Amtsgericht Bonn HRB 6794
Registered office: Bonn

Big changes start small – conserve resources by not printing every e-mail.