Your message dated Wed, 07 Dec 2022 21:04:23 +0000 with message-id <e1p31az-002gnn...@fasolo.debian.org> and subject line Bug#1025648: fixed in cacti 1.2.22+ds1-3 has caused the Debian Bug report #1025648, regarding cacti: CVE-2022-46169: Unauthenticated Command Injection to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1025648: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025648 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: cacti Version: 1.2.22+ds1-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for cacti. CVE-2022-46169[0]: | Cacti is an open source platform which provides a robust and | extensible operational monitoring and fault management framework for | users. In affected versions a command injection vulnerability allows | an unauthenticated user to execute arbitrary code on a server running | Cacti, if a specific data source was selected for any monitored | device. The vulnerability resides in the `remote_agent.php` file. This | file can be accessed without authentication. This function retrieves | the IP address of the client via `get_client_addr` and resolves this | IP address to the corresponding hostname via `gethostbyaddr`. After | this, it is verified that an entry within the `poller` table exists, | where the hostname corresponds to the resolved hostname. If such an | entry was found, the function returns `true` and the client is | authorized. This authorization can be bypassed due to the | implementation of the `get_client_addr` function. The function is | defined in the file `lib/functions.php` and checks serval `$_SERVER` | variables to determine the IP address of the client. The variables | beginning with `HTTP_` can be arbitrarily set by an attacker. Since | there is a default entry in the `poller` table with the hostname of | the server running Cacti, an attacker can bypass the authentication | e.g. by providing the header `Forwarded-For: <TARGETIP>`. This | way the function `get_client_addr` returns the IP address of the | server running Cacti. The following call to `gethostbyaddr` will | resolve this IP address to the hostname of the server, which will pass | the `poller` hostname check because of the default entry. After the | authorization of the `remote_agent.php` file is bypassed, an attacker | can trigger different actions. One of these actions is called | `polldata`. The called function `poll_for_data` retrieves a few | request parameters and loads the corresponding `poller_item` entries | from the database. If the `action` of a `poller_item` equals | `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to | execute a PHP script. The attacker-controlled parameter `$poller_id` | is retrieved via the function `get_nfilter_request_var`, which allows | arbitrary strings. This variable is later inserted into the string | passed to `proc_open`, which leads to a command injection | vulnerability. By e.g. providing the `poller_id=;id` the `id` command | is executed. In order to reach the vulnerable call, the attacker must | provide a `host_id` and `local_data_id`, where the `action` of the | corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both | of these ids (`host_id` and `local_data_id`) can easily be | bruteforced. The only requirement is that a `poller_item` with an | `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a | productive instance because this action is added by some predefined | templates like `Device - Uptime` or `Device - Polling Time`. This | command injection vulnerability allows an unauthenticated user to | execute arbitrary commands if a `poller_item` with the `action` type | `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization | bypass should be prevented by not allowing an attacker to make | `get_client_addr` (file `lib/functions.php`) return an arbitrary IP | address. This could be done by not honoring the `HTTP_...` `$_SERVER` | variables. If these should be kept for compatibility reasons it should | at least be prevented to fake the IP address of the server running | Cacti. This vulnerability has been addressed in both the 1.2.x and | 1.3.x release branches with `1.2.23` being the first release | containing the patch. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-46169 https://www.cve.org/CVERecord?id=CVE-2022-46169 [1] https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: cacti Source-Version: 1.2.22+ds1-3 Done: Paul Gevers <elb...@debian.org> We believe that the bug you reported is fixed in the latest version of cacti, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1025...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Paul Gevers <elb...@debian.org> (supplier of updated cacti package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 06 Dec 2022 22:16:33 +0100 Source: cacti Architecture: source Version: 1.2.22+ds1-3 Distribution: unstable Urgency: medium Maintainer: Cacti Maintainer <pkg-cacti-ma...@lists.alioth.debian.org> Changed-By: Paul Gevers <elb...@debian.org> Closes: 1025648 Changes: cacti (1.2.22+ds1-3) unstable; urgency=medium . [ Athos Ribeiro ] * Update installing guides for NO_AUTO_CREATE_USER . [ Paul Gevers ] * Add 7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216.patch to fix CVE-2022-46169 (Closes: #1025648) * Update debian.php.dist for the fix above to incorporate the configuration changes in the package defaults Checksums-Sha1: 72cd3242a67540ca83735c8d356be7304b077ab6 2236 cacti_1.2.22+ds1-3.dsc 956ba14ca427e77c8075168fc48d6428fd5c5b04 61976 cacti_1.2.22+ds1-3.debian.tar.xz Checksums-Sha256: 1c675817bf37cea7d89a2b237546d786d4a1db390c75023aa5a07e44cd133070 2236 cacti_1.2.22+ds1-3.dsc f6fc5167919cd78a60221f857b08a9cf92194a1b96385f18879e8bfc3b97873a 61976 cacti_1.2.22+ds1-3.debian.tar.xz Files: 6d183111fe2caa7094ee5c37708e829c 2236 web optional cacti_1.2.22+ds1-3.dsc 7ce60405e57bde931259f94be4d5ed61 61976 web optional cacti_1.2.22+ds1-3.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmOQ+K8ACgkQnFyZ6wW9 dQpymwf+LdKjnQst9WCLBoz2+6FU72qFN8/keKSR27epHgASoxj30BVNDIA+CDfm 0I5D7Lx3SE37J3VIuIR+OL55cp+sLm0kzfHa0kzJIWK/RpB4/Klv1+mBGzavVM1d TeBi90OQqF/T1i33xgglgzuL5kpmoUspwifDD50fGaRQiLQ+IuTECMyhdOZKHFyW 5v05Fe7eg5wc4ECLD2oF5dwK3PEIP4ttTuIp7dZ9rKRTGo3znu5inxuSZ9BjuhcW O3v42PbCoXxDL2UizsDR/aVPUpH/6Jaqi6ZVMdKtaoMa0vxh+zKI94Xmsv31JXK1 OXEbv8T9kmKWiz/iMuvSBmNzoGkyfw== =bVIc -----END PGP SIGNATURE-----
--- End Message ---
