Deutsche Telekom CERT Advisory [DTC-A-20140324-001]=20 =20 Summary: Three vulnerabilities were found in cacti version 0.8.7g.=20 =20 The vulnerabilities are: 1) Stored Cross-Site Scripting (XSS) (via URL) 2) Missing CSRF (Cross-Site Request Forgery) token allows execution of arbi= trary commands 3) The use of exec-like function calls without safety checks allow arbitrar= y commands =20 At the moment we have no feedback regarding a patch from the developers. =20 Homepage: http://www.cacti.net/ =20 Recommendations: The developer has not fixed all vulnerabilities. Therefore the client syste= ms used to login to Cacti should be isolated from each external network inc= luding internet connection over proxy server, to prevent any threats concer= ning the open vulnerabilities. =20 Details: a) application b) problem c) CVSS d) detailed description ---------------------------------------------------------------------------= ---------------------------------------------------------------------------= ------------------------------ a1) Cacti 0.8.7g [CVE-2014-2326] b1) Stored Cross-Site Scripting (XSS) (via URL) c1) CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C d1) The Cacti application is susceptible to stored XSS attacks. This is mai= nly the result of improper output encoding.=20 ---------------------------------------------------------------------------= ---------------------------------------------------------------------------= ------------------------------ a2) Cacti 0.8.7g [CVE-2014-2327] b2) Missing CSRF (Cross-Site Request Forgery) token allows execution of arb= itrary commands c2) CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C d2) The Cacti application does not implement any CSRF tokens. More about CS= RF attacks, risks and mitigations see https://www.owasp.org/index.php/Cross= -Site_Request_Forgery_(CSRF). This attack has a vast impact on the security= of the Cacti application, as multiple configuration parameters can be chan= ged using a CSRF attack. One very critical attack vector is the modificatio= n of several binary files in the Cacti configuration, which may then be exe= cuted on the server. This results in full compromise of the Cacti host by j= ust clicking a web link. A proof of concept exploit has been developed, whi= ch allows this attack, resulting in full (system level) access of the Cacti= system. Further attack scenarios include the modification of the Cacti configuratio= n and adding arbitrary (admin) users to the application. ---------------------------------------------------------------------------= ---------------------------------------------------------------------------= ------------------------------ a3) Cacti 0.8.7g [CVE-2014-2328] b3) The use of exec-like function calls without safety checks allow arbitra= ry commands c3) CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C d3) Cacti makes use of exec-like method PHP function calls, which execute c= ommand shell code without any safety checks in place. In combination with a= CSRF weakness this can be triggered without the knowledge of the Cacti use= r. Also, for more elaborate attacks, this can be combined with a XSS attack= .. Such an attack will result in full system (Cacti host) access without any= interaction or knowledge of the Cacti admin. =20 =20 Deutsche Telekom CERT Landgrabenweg 151, 53227 Bonn, Germany +49 800 DTAG CERT (Tel.) E-Mail: cert@telekom.de Life is for sharing. =20 Deutsche Telekom AG Supervisory Board: Prof. Dr. Ulrich Lehner (Chairman) Board of Management: Timotheus H=F6ttges (Chairman), Dr. Thomas Kremer, Reinhard Clemens, Niek Jan van Damme, Thomas Dannenfeldt, Claudia Nemat, Prof. Dr. Marion Schick Commercial register: Amtsgericht Bonn HRB 6794 Registered office: Bonn =20 Big changes start small =96 conserve resources by not printing every e-mail= ..=