9 - DSA-1954

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	New cacti packages fix insufficient input sanitising

Informations
Name	DSA-1954	First vendor Publication	2009-12-16
Vendor	Debian	Last vendor Modification	2009-12-16
Severity (Vendor)	N/A	Revision	1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Cvss Base Score	9	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Low
Cvss Expoit Score	8	Authentication	Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Several vulnerabilities have been found in cacti, a frontend to rrdtool for monitoring systems and services. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2007-3112, CVE-2007-3113

It was discovered that cacti is prone to a denial of service via the graph_height, graph_width, graph_start and graph_end parameters. This issue only affects the oldstable (etch) version of cacti.

CVE-2009-4032

It was discovered that cacti is prone to several cross-site scripting attacks via different vectors.

CVE-2009-4112

It has been discovered that cacti allows authenticated administrator users to gain access to the host system by executing arbitrary commands via the "Data Input Method" for the "Linux - Get Memory Usage" setting.

There is no fix for this issue at this stage. Upstream will implement a whitelist policy to only allow certain "safe" commands. For the moment, we recommend that such access is only given to trusted users and that the options "Data Input" and "User Administration" are otherwise deactivated.

For the oldstable distribution (etch), these problems have been fixed in version 0.8.6i-3.6.

For the stable distribution (lenny), this problem has been fixed in version 0.8.7b-2.1+lenny1.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in version 0.8.7e-1.1.

We recommend that you upgrade your cacti packages.

Original Source

Url : http://www.debian.org/security/2009/dsa-1954

CWE : Common Weakness Enumeration

%	Id	Name
50 %	CWE-264	Permissions, Privileges, and Access Controls
50 %	CWE-79	Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:13514

Oval ID:	oval:org.mitre.oval:def:13514
Title:	DSA-1954-1 cacti -- insufficient input sanitising
Description:	Several vulnerabilities have been found in cacti, a frontend to rrdtool for monitoring systems and services. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-3112, CVE-2007-3113 It was discovered that cacti is prone to a denial of service via the graph_height, graph_width, graph_start and graph_end parameters. This issue only affects the oldstable version of cacti. CVE-2009-4032 It was discovered that cacti is prone to several cross-site scripting attacks via different vectors. CVE-2009-4112 It has been discovered that cacti allows authenticated administrator users to gain access to the host system by executing arbitrary commands via the "Data Input Method" for the "Linux - Get Memory Usage" setting. There is no fix for this issue at this stage. Upstream will implement a whitelist policy to only allow certain "safe" commands. For the moment, we recommend that such access is only given to trusted users and that the options "Data Input" and "User Administration" are otherwise deactivated. For the oldstable distribution, these problems have been fixed in version 0.8.6i-3.6. For the stable distribution, this problem has been fixed in version 0.8.7b-2.1+lenny1. For the testing distribution, this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 0.8.7e-1.1. We recommend that you upgrade your cacti packages.
Family:	unix	Class:	patch
Reference(s):	DSA-1954-1 CVE-2007-3112 CVE-2007-3113 CVE-2009-4032 CVE-2009-4112	Version:	5
Platform(s):	Debian GNU/Linux 5.0 Debian GNU/Linux 4.0	Product(s):	cacti
Definition Synopsis:
Release section Debian GNU/Linux 5.0 is installed AND Installed architecture is all AND cacti DPKG is earlier than 0.8.7b-2.1+lenny1 OR Release section Debian GNU/Linux 4.0 is installed. AND Installed architecture is all AND cacti DPKG is earlier than 0.8.6i-3.6

Definition Id: oval:org.mitre.oval:def:6983

Oval ID:	oval:org.mitre.oval:def:6983
Title:	DSA-1954 cacti -- insufficient input sanitising
Description:	Several vulnerabilities have been found in cacti, a frontend to rrdtool for monitoring systems and services. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that cacti is prone to a denial of service via the graph_height, graph_width, graph_start and graph_end parameters. This issue only affects the oldstable version of cacti. It was discovered that cacti is prone to several cross-site scripting attacks via different vectors. It has been discovered that cacti allows authenticated administrator users to gain access to the host system by executing arbitrary commands via the "Data Input Method" for the "Linux - Get Memory Usage" setting. There is no fix for this issue at this stage. Upstream will implement a whitelist policy to only allow certain "safe" commands. For the moment, we recommend that such access is only given to trusted users and that the options "Data Input" and "User Administration" are otherwise deactivated.
Family:	unix	Class:	patch
Reference(s):	DSA-1954 CVE-2007-3112 CVE-2007-3113 CVE-2009-4032 CVE-2009-4112	Version:	5
Platform(s):	Debian GNU/Linux 5.0 Debian GNU/Linux 4.0	Product(s):	cacti
Definition Synopsis:
Release section Debian GNU/Linux 5.0 is installed AND Installed architecture is all AND cacti is earlier than 0.8.7b-2.1+lenny1 OR Release section Debian GNU/Linux 4.0 is installed. AND Installed architecture is all AND cacti is earlier than 0.8.6i-3.6

CPE : Common Platform Enumeration

Type	Description	Count
Application	Cacti cpe:2.3:a:cacti:cacti:0.8.7i:::::::* cpe:2.3:a:cacti:cacti:0.8.7h:::::::* cpe:2.3:a:cacti:cacti:0.8.7g:::::::* cpe:2.3:a:cacti:cacti:0.8.7f:::::::* cpe:2.3:a:cacti:cacti:0.8.7e:::::::* cpe:2.3:a:cacti:cacti:0.8.7d:::::::* cpe:2.3:a:cacti:cacti:0.8.7c:::::::* cpe:2.3:a:cacti:cacti:0.8.7a:::::::* cpe:2.3:a:cacti:cacti:0.8.7:::::::* cpe:2.3:a:cacti:cacti:0.8.6k:::::::* cpe:2.3:a:cacti:cacti:0.8.6j:::::::* cpe:2.3:a:cacti:cacti:0.8.6i:::::::* cpe:2.3:a:cacti:cacti:0.8.6h:::::::* cpe:2.3:a:cacti:cacti:0.8.6g:::::::* cpe:2.3:a:cacti:cacti:0.8.6f:::::::* cpe:2.3:a:cacti:cacti:0.8.6e:::::::* cpe:2.3:a:cacti:cacti:0.8.6d:::::::* cpe:2.3:a:cacti:cacti:0.8.6c:::::::* cpe:2.3:a:cacti:cacti:0.8.6b:::::::* cpe:2.3:a:cacti:cacti:0.8.6a:::::::* cpe:2.3:a:cacti:cacti:0.8.6:::::::* cpe:2.3:a:cacti:cacti:0.8.5a:::::::* cpe:2.3:a:cacti:cacti:0.8.5:::::::* cpe:2.3:a:cacti:cacti:0.8.4:::::::* cpe:2.3:a:cacti:cacti:0.8.3a:::::::* cpe:2.3:a:cacti:cacti:0.8.3:::::::* cpe:2.3:a:cacti:cacti:0.8.2a:::::::* cpe:2.3:a:cacti:cacti:0.8.2:::::::* cpe:2.3:a:cacti:cacti:0.8.1:::::::* cpe:2.3:a:cacti:cacti:0.8:::::::* cpe:2.3:a:cacti:cacti:0.6.8a:::::::* cpe:2.3:a:cacti:cacti:0.6.8:::::::* cpe:2.3:a:cacti:cacti:0.6.7:::::::* cpe:2.3:a:cacti:cacti:0.6.6:::::::* cpe:2.3:a:cacti:cacti:0.6.5:::::::* cpe:2.3:a:cacti:cacti:0.6.4:::::::* cpe:2.3:a:cacti:cacti:0.6.3:::::::* cpe:2.3:a:cacti:cacti:0.6.2:::::::* cpe:2.3:a:cacti:cacti:0.6.1:::::::* cpe:2.3:a:cacti:cacti:0.6:::::::* cpe:2.3:a:cacti:cacti:0.5:-:::::: cpe:2.3:a:cacti:cacti:0.5:::::::* cpe:2.3:a:cacti:cacti::::::::	43
Application	The Cacti Group Cacti cpe:2.3:a:the_cacti_group:cacti:0.8.6g:::::::* cpe:2.3:a:the_cacti_group:cacti:0.8.6e:::::::* cpe:2.3:a:the_cacti_group:cacti:0.8.6d:::::::* cpe:2.3:a:the_cacti_group:cacti:0.8.6c:::::::* cpe:2.3:a:the_cacti_group:cacti:0.8.5a:::::::* cpe:2.3:a:the_cacti_group:cacti:0.8.5:::::::* cpe:2.3:a:the_cacti_group:cacti:0.8.4:::::::* cpe:2.3:a:the_cacti_group:cacti:0.8.3a:::::::* cpe:2.3:a:the_cacti_group:cacti:0.8.3:::::::* cpe:2.3:a:the_cacti_group:cacti:0.8.2a:::::::* cpe:2.3:a:the_cacti_group:cacti:0.8.2:::::::* cpe:2.3:a:the_cacti_group:cacti:0.8.1:::::::* cpe:2.3:a:the_cacti_group:cacti:0.8:::::::* cpe:2.3:a:the_cacti_group:cacti:0.6.8a:::::::* cpe:2.3:a:the_cacti_group:cacti:0.6.8:::::::* cpe:2.3:a:the_cacti_group:cacti:0.6.7:::::::* cpe:2.3:a:the_cacti_group:cacti:0.6.6:::::::* cpe:2.3:a:the_cacti_group:cacti:0.6.5:::::::* cpe:2.3:a:the_cacti_group:cacti:0.6.4:::::::* cpe:2.3:a:the_cacti_group:cacti:0.6.3:::::::* cpe:2.3:a:the_cacti_group:cacti:0.6.2:::::::* cpe:2.3:a:the_cacti_group:cacti:0.6.1:::::::* cpe:2.3:a:the_cacti_group:cacti:0.6:::::::* cpe:2.3:a:the_cacti_group:cacti:0.5:::::::*	24

ExploitDB Exploits

id	Description
2009-11-26	Cacti 0.8.7e: Multiple Security Issues

OpenVAS Exploits

Date	Description
2010-08-30	Name : Mandriva Update for cacti MDVSA-2010:160 (cacti) File : nvt/gb_mandriva_MDVSA_2010_160.nasl
2010-01-15	Name : Fedora Update for cacti FEDORA-2009-12560 File : nvt/gb_fedora_2009_12560_cacti_fc12.nasl
2009-12-30	Name : Debian Security Advisory DSA 1954-1 (cacti) File : nvt/deb_1954_1.nasl
2009-12-30	Name : Fedora Core 11 FEDORA-2009-12575 (cacti) File : nvt/fcore_2009_12575.nasl
2009-12-01	Name : Cacti 'Linux - Get Memory Usage' Remote Command Execution Vulnerability File : nvt/cacti_37137.nasl
2009-11-25	Name : Cacti Multiple HTML Injection Vulnerabilities File : nvt/cacti_37109.nasl
2009-11-23	Name : FreeBSD Ports: cacti File : nvt/freebsd_cacti6.nasl
2009-02-27	Name : Fedora Update for cacti FEDORA-2007-2199 File : nvt/gb_fedora_2007_2199_cacti_fc7.nasl
2009-02-27	Name : Fedora Update for cacti FEDORA-2007-3683 File : nvt/gb_fedora_2007_3683_cacti_fc7.nasl
2009-02-16	Name : Fedora Update for cacti FEDORA-2008-1737 File : nvt/gb_fedora_2008_1737_cacti_fc7.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
60653	Cacti Linux - Get Memory Usage Data Input Method Remote Privilege Escalation
60566	Cacti graph.php Multiple Parameter XSS Cacti contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'graph_start' and 'graph_end' parameters upon submission to the graph.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
60565	Cacti include/top_graph_header.php Multiple Parameter XSS Cacti contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'page_refresh' and 'default_dual_pane_width' parameters upon submission to the include/top_graph_header.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
60564	Cacti lib/html_form.php Multiple Parameter XSS Cacti contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'name', 'value', 'form_previous_value' and 'array_display[id]' parameters upon submission to the lib/html_form.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
60483	Cacti lib/timespan_settings.php Multiple Parameter XSS Cacti contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'date1' and 'date2' parameters upon submission to the lib/timespan_settings.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
37019	Cacti graph_image.php Multiple Variable Malformed Input Remote DoS

Nessus® Vulnerability Scanner

Date	Description
2010-02-25	Name : The remote Fedora host is missing a security update. File : fedora_2009-12560.nasl - Type : ACT_GATHER_INFO
2010-02-24	Name : The remote Debian host is missing a security-related update. File : debian_DSA-1954.nasl - Type : ACT_GATHER_INFO
2009-12-28	Name : The remote Fedora host is missing a security update. File : fedora_2009-12575.nasl - Type : ACT_GATHER_INFO
2009-12-07	Name : The remote openSUSE host is missing a security update. File : suse_11_0_cacti-091202.nasl - Type : ACT_GATHER_INFO
2009-11-24	Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_04104985d84611de84e400215af774f0.nasl - Type : ACT_GATHER_INFO
2007-11-26	Name : The remote Fedora host is missing a security update. File : fedora_2007-3683.nasl - Type : ACT_GATHER_INFO
2007-11-06	Name : The remote Fedora host is missing a security update. File : fedora_2007-2199.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 11:29:05	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	2
Oval ID(s)	2
CPE ID(s)	67
osvdb(s)	6
ExploitDB Exploit(s)	1
Openvas Exploit(s)	10
Nessus® Exploit(s)	7

	Related
9	CVE-2009-4112
7.8	CVE-2007-3112
6.8	CVE-2007-3113
4.3	CVE-2009-4032
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 4 more Alert(s)