lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <F431B9A0925EB54789AB192CE6A35EFF3679881CF9@HE111649.emea1.cds.t-internal.com>
Date: Mon, 24 Mar 2014 16:41:27 +0100
From: <CERT@...ekom.de>
To: <BugTraq@...urityfocus.com>
CC: <CERT@...ekom.de>
Subject: Deutsche Telekom CERT Advisory [DTC-A-20140324-001] vulnerabilities
 in cacti

Deutsche Telekom CERT Advisory [DTC-A-20140324-001] 
 
Summary:
Three vulnerabilities were found in cacti version 0.8.7g. 
 
The vulnerabilities are:
1) Stored Cross-Site Scripting (XSS) (via URL)
2) Missing CSRF (Cross-Site Request Forgery) token allows execution of arbitrary commands
3) The use of exec-like function calls without safety checks allow arbitrary commands
 
At the moment we have no feedback regarding a patch from the developers.
 
Homepage: http://www.cacti.net/
 
Recommendations:
The developer has not fixed all vulnerabilities. Therefore the client systems used to login to Cacti should be isolated from each external network including internet connection over proxy server, to prevent any threats concerning the open vulnerabilities.
 
Details:
a) application
b) problem
c) CVSS
d) detailed description
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
a1) Cacti 0.8.7g [CVE-2014-2326]
b1) Stored Cross-Site Scripting (XSS) (via URL)
c1) CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
d1) The Cacti application is susceptible to stored XSS attacks. This is mainly the result of improper output encoding. 
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
a2) Cacti 0.8.7g [CVE-2014-2327]
b2) Missing CSRF (Cross-Site Request Forgery) token allows execution of arbitrary commands
c2) CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
d2) The Cacti application does not implement any CSRF tokens. More about CSRF attacks, risks and mitigations see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF). This attack has a vast impact on the security of the Cacti application, as multiple configuration parameters can be changed using a CSRF attack. One very critical attack vector is the modification of several binary files in the Cacti configuration, which may then be executed on the server. This results in full compromise of the Cacti host by just clicking a web link. A proof of concept exploit has been developed, which allows this attack, resulting in full (system level) access of the Cacti system.
Further attack scenarios include the modification of the Cacti configuration and adding arbitrary (admin) users to the application.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
a3) Cacti 0.8.7g [CVE-2014-2328]
b3) The use of exec-like function calls without safety checks allow arbitrary commands
c3) CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
d3) Cacti makes use of exec-like method PHP function calls, which execute command shell code without any safety checks in place. In combination with a CSRF weakness this can be triggered without the knowledge of the Cacti user. Also, for more elaborate attacks, this can be combined with a XSS attack. Such an attack will result in full system (Cacti host) access without any interaction or knowledge of the Cacti admin.
 
 
Deutsche Telekom CERT
Landgrabenweg 151, 53227 Bonn, Germany
+49 800 DTAG CERT (Tel.)
E-Mail: cert@...ekom.de
Life is for sharing.
 
Deutsche Telekom AG
Supervisory Board: Prof. Dr. Ulrich Lehner (Chairman)
Board of Management: Timotheus Höttges (Chairman),
Dr. Thomas Kremer, Reinhard Clemens, Niek Jan van Damme,
Thomas Dannenfeldt, Claudia Nemat, Prof. Dr. Marion Schick
Commercial register: Amtsgericht Bonn HRB 6794
Registered office: Bonn
 
Big changes start small – conserve resources by not printing every e-mail.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ