[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Deutsche Telekom CERT Advisory [DTC-A-20140324-001] vulnerabilities in cacti
- To: <BugTraq@xxxxxxxxxxxxxxxxx>
- Subject: Deutsche Telekom CERT Advisory [DTC-A-20140324-001] vulnerabilities in cacti
- From: <CERT@xxxxxxxxxx>
- Date: Mon, 24 Mar 2014 16:41:27 +0100
Deutsche Telekom CERT Advisory [DTC-A-20140324-001]
Summary:
Three vulnerabilities were found in cacti version 0.8.7g.
The vulnerabilities are:
1) Stored Cross-Site Scripting (XSS) (via URL)
2) Missing CSRF (Cross-Site Request Forgery) token allows execution of
arbitrary commands
3) The use of exec-like function calls without safety checks allow arbitrary
commands
At the moment we have no feedback regarding a patch from the developers.
Homepage: http://www.cacti.net/
Recommendations:
The developer has not fixed all vulnerabilities. Therefore the client systems
used to login to Cacti should be isolated from each external network including
internet connection over proxy server, to prevent any threats concerning the
open vulnerabilities.
Details:
a) application
b) problem
c) CVSS
d) detailed description
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
a1) Cacti 0.8.7g [CVE-2014-2326]
b1) Stored Cross-Site Scripting (XSS) (via URL)
c1) CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
d1) The Cacti application is susceptible to stored XSS attacks. This is mainly
the result of improper output encoding.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
a2) Cacti 0.8.7g [CVE-2014-2327]
b2) Missing CSRF (Cross-Site Request Forgery) token allows execution of
arbitrary commands
c2) CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
d2) The Cacti application does not implement any CSRF tokens. More about CSRF
attacks, risks and mitigations see
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF). This attack
has a vast impact on the security of the Cacti application, as multiple
configuration parameters can be changed using a CSRF attack. One very critical
attack vector is the modification of several binary files in the Cacti
configuration, which may then be executed on the server. This results in full
compromise of the Cacti host by just clicking a web link. A proof of concept
exploit has been developed, which allows this attack, resulting in full (system
level) access of the Cacti system.
Further attack scenarios include the modification of the Cacti configuration
and adding arbitrary (admin) users to the application.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
a3) Cacti 0.8.7g [CVE-2014-2328]
b3) The use of exec-like function calls without safety checks allow arbitrary
commands
c3) CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
d3) Cacti makes use of exec-like method PHP function calls, which execute
command shell code without any safety checks in place. In combination with a
CSRF weakness this can be triggered without the knowledge of the Cacti user.
Also, for more elaborate attacks, this can be combined with a XSS attack. Such
an attack will result in full system (Cacti host) access without any
interaction or knowledge of the Cacti admin.
Deutsche Telekom CERT
Landgrabenweg 151, 53227 Bonn, Germany
+49 800 DTAG CERT (Tel.)
E-Mail: cert@xxxxxxxxxx
Life is for sharing.
Deutsche Telekom AG
Supervisory Board: Prof. Dr. Ulrich Lehner (Chairman)
Board of Management: Timotheus Höttges (Chairman),
Dr. Thomas Kremer, Reinhard Clemens, Niek Jan van Damme,
Thomas Dannenfeldt, Claudia Nemat, Prof. Dr. Marion Schick
Commercial register: Amtsgericht Bonn HRB 6794
Registered office: Bonn
Big changes start small – conserve resources by not printing every e-mail.