Your message dated Sat, 10 Dec 2022 23:47:09 +0000 with message-id <e1p49yj-0060sp...@fasolo.debian.org> and subject line Bug#1025648: fixed in cacti 1.2.16+ds1-2+deb11u1 has caused the Debian Bug report #1025648, regarding cacti: CVE-2022-46169: Unauthenticated Command Injection to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1025648: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025648 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: cacti Version: 1.2.22+ds1-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for cacti. CVE-2022-46169[0]: | Cacti is an open source platform which provides a robust and | extensible operational monitoring and fault management framework for | users. In affected versions a command injection vulnerability allows | an unauthenticated user to execute arbitrary code on a server running | Cacti, if a specific data source was selected for any monitored | device. The vulnerability resides in the `remote_agent.php` file. This | file can be accessed without authentication. This function retrieves | the IP address of the client via `get_client_addr` and resolves this | IP address to the corresponding hostname via `gethostbyaddr`. After | this, it is verified that an entry within the `poller` table exists, | where the hostname corresponds to the resolved hostname. If such an | entry was found, the function returns `true` and the client is | authorized. This authorization can be bypassed due to the | implementation of the `get_client_addr` function. The function is | defined in the file `lib/functions.php` and checks serval `$_SERVER` | variables to determine the IP address of the client. The variables | beginning with `HTTP_` can be arbitrarily set by an attacker. Since | there is a default entry in the `poller` table with the hostname of | the server running Cacti, an attacker can bypass the authentication | e.g. by providing the header `Forwarded-For: <TARGETIP>`. This | way the function `get_client_addr` returns the IP address of the | server running Cacti. The following call to `gethostbyaddr` will | resolve this IP address to the hostname of the server, which will pass | the `poller` hostname check because of the default entry. After the | authorization of the `remote_agent.php` file is bypassed, an attacker | can trigger different actions. One of these actions is called | `polldata`. The called function `poll_for_data` retrieves a few | request parameters and loads the corresponding `poller_item` entries | from the database. If the `action` of a `poller_item` equals | `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to | execute a PHP script. The attacker-controlled parameter `$poller_id` | is retrieved via the function `get_nfilter_request_var`, which allows | arbitrary strings. This variable is later inserted into the string | passed to `proc_open`, which leads to a command injection | vulnerability. By e.g. providing the `poller_id=;id` the `id` command | is executed. In order to reach the vulnerable call, the attacker must | provide a `host_id` and `local_data_id`, where the `action` of the | corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both | of these ids (`host_id` and `local_data_id`) can easily be | bruteforced. The only requirement is that a `poller_item` with an | `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a | productive instance because this action is added by some predefined | templates like `Device - Uptime` or `Device - Polling Time`. This | command injection vulnerability allows an unauthenticated user to | execute arbitrary commands if a `poller_item` with the `action` type | `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization | bypass should be prevented by not allowing an attacker to make | `get_client_addr` (file `lib/functions.php`) return an arbitrary IP | address. This could be done by not honoring the `HTTP_...` `$_SERVER` | variables. If these should be kept for compatibility reasons it should | at least be prevented to fake the IP address of the server running | Cacti. This vulnerability has been addressed in both the 1.2.x and | 1.3.x release branches with `1.2.23` being the first release | containing the patch. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-46169 https://www.cve.org/CVERecord?id=CVE-2022-46169 [1] https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: cacti Source-Version: 1.2.16+ds1-2+deb11u1 Done: Paul Gevers <elb...@debian.org> We believe that the bug you reported is fixed in the latest version of cacti, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1025...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Paul Gevers <elb...@debian.org> (supplier of updated cacti package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 08 Dec 2022 09:50:14 +0100 Source: cacti Architecture: source Version: 1.2.16+ds1-2+deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Cacti Maintainer <pkg-cacti-ma...@lists.alioth.debian.org> Changed-By: Paul Gevers <elb...@debian.org> Closes: 1008693 1025648 Changes: cacti (1.2.16+ds1-2+deb11u1) bullseye-security; urgency=medium . * Add 7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216.patch to fix CVE-2022-46169 (Closes: #1025648) * Add two patches to fix CVE-2022-0730 (Closes: #1008693) * Update configuration template for CVE-2022-46169 Checksums-Sha1: 03517466b19b4ddba726ec1bbcb0bbffba011133 2193 cacti_1.2.16+ds1-2+deb11u1.dsc a69b61a006c30aaea6e0d2dd23981c48dfb7cc2b 13562956 cacti_1.2.16+ds1.orig-docs-source.tar.gz e130e91a789af3125d276c5a9022b915cbaea822 7423308 cacti_1.2.16+ds1.orig.tar.gz fd7095602470bdb3bc325d821d846164c22539ec 59868 cacti_1.2.16+ds1-2+deb11u1.debian.tar.xz 0646915e4a81dcc8860c50db3b97f398f65e43c3 6175 cacti_1.2.16+ds1-2+deb11u1_source.buildinfo Checksums-Sha256: 8269ae3af76f4c9d6758b9dbf31f4d82a35f5ff0d5c652bb9550cebe079d7a65 2193 cacti_1.2.16+ds1-2+deb11u1.dsc ce2d29621353ef096a8844ddedb96cc4cd5d2e11a6a26f1022cecbb2a4583fcd 13562956 cacti_1.2.16+ds1.orig-docs-source.tar.gz 2084865fda2f2f6ae0286cce87d9d9886e49a0b3c105228d99226cc027384511 7423308 cacti_1.2.16+ds1.orig.tar.gz 9e0356aad30f5b5a9e7effcd8506bbbceb95145d9f74d7e69b1002aebbf89b48 59868 cacti_1.2.16+ds1-2+deb11u1.debian.tar.xz 11271784a93bb072d89efb59c42826bccb56b2a94e356a3d8cf34df268b29494 6175 cacti_1.2.16+ds1-2+deb11u1_source.buildinfo Files: 98fd0361fe222f018f76d7167b1f5c9c 2193 web optional cacti_1.2.16+ds1-2+deb11u1.dsc 203a2ac99af6ea4a209e505647b398d8 13562956 web optional cacti_1.2.16+ds1.orig-docs-source.tar.gz 29b74097553ab9693820a1e71fc67083 7423308 web optional cacti_1.2.16+ds1.orig.tar.gz 44d385861f3908eddbee2c5a204f2162 59868 web optional cacti_1.2.16+ds1-2+deb11u1.debian.tar.xz 60c5d669ad398549ea3eb08efb208e27 6175 web optional cacti_1.2.16+ds1-2+deb11u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQFGBAEBCAAwFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmOR6IkSHGVsYnJ1c0Bk ZWJpYW4ub3JnAAoJEJxcmesFvXUKnLoH/jNf9BYRD3aOl9ikHnOlsOuuVzXfjXWb nyeD0UJs9gYJ/jk9YzAw1o/T5QXZQof3oeNp0iXhIRqO/tv1jJQE5TghO0zQEKnJ TJvQFr51lDgL71OT+cN41MVYLGinIxIpOFR5UQayK3VaWYhZJvsXyaoFBJxxpXFY sjOvKWM4LcbN8Ct2RXQEIYFQ+yvSkkGS/AJ6VQoySOon6ZmV04AtYcrWr0E6dpq4 wRA3AFHFcHI0dEBr5FTB2V3PAbLN8KLUvU7VZ3+VrA5s8iBD5cf04iduiuBt+las WOuXywPL9bl1bCXtOyKH1yDNTYRvSPGmjX6H6BnQwkDBPcHYGcnH8zE= =WWfI -----END PGP SIGNATURE-----
--- End Message ---
