Deutsche Telekom CERT Advisory [DTC-A-20140324-001]
Summary:
Three vulnerabilities were found in cacti version 0.8.7g.
The vulnerabilities are:
1) Stored Cross-Site Scripting (XSS) (via URL)
2) Missing CSRF (Cross-Site Request Forgery) token allows execution of arbitrary commands
3) The use of exec-like function calls without safety checks allow arbitrary commands
At the moment we have no feedback regarding a patch from the developers.
Homepage: http://www.cacti.net/
Recommendations:
The developer has not fixed all vulnerabilities. Therefore the client systems used to login to Cacti should be isolated from each external network including internet connection over proxy server, to prevent any threats concerning the open vulnerabilities.
a3) Cacti 0.8.7g [CVE-2014-2328]
b3) The use of exec-like function calls without safety checks allow arbitrary commands
c3) CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
d3) Cacti makes use of exec-like method PHP function calls, which execute command shell code without any safety checks in place. In combination with a CSRF weakness this can be triggered without the knowledge of the Cacti user. Also, for more elaborate attacks, this can be combined with a XSS attack. Such an attack will result in full system (Cacti host) access without any interaction or knowledge of the Cacti admin.
Deutsche Telekom CERT
Landgrabenweg 151, 53227 Bonn, Germany
+49 800 DTAG CERT (Tel.)
E-Mail: [email protected]
Life is for sharing.
Deutsche Telekom AG
Supervisory Board: Prof. Dr. Ulrich Lehner (Chairman)
Board of Management: Timotheus Hottges (Chairman),
Dr. Thomas Kremer, Reinhard Clemens, Niek Jan van Damme,
Thomas Dannenfeldt, Claudia Nemat, Prof. Dr. Marion Schick
Commercial register: Amtsgericht Bonn HRB 6794
Registered office: Bonn
Big changes start small – conserve resources by not printing every e-mail.