cacti: CVE-2017-16641: arbitrary execution of os commands via path_rrdtool parameter in an action=save request

Debian Bug report logs - #881110
cacti: CVE-2017-16641: arbitrary execution of os commands via path_rrdtool parameter in an action=save request

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cacti: CVE-2017-16641: arbitrary execution of os commands via path_rrdtool parameter in an action=save request

Date: Tue, 07 Nov 2017 22:17:47 +0100

Source: cacti
Version: 1.1.27+ds1-2
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/Cacti/cacti/issues/1057

Hi,

the following vulnerability was published for cacti.

CVE-2017-16641[0]:
| lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators
| to execute arbitrary OS commands via the path_rrdtool parameter in an
| action=save request to settings.php.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-16641
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16641
[1] https://github.com/Cacti/cacti/issues/1057

Please adjust the affected versions in the BTS as needed, only did
check unstable's version for now source-wise.

Regards,
Salvatore

Message #10 received at 881110@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: Debian Long time support <debian-lts@lists.debian.org>, 881110@bugs.debian.org

Subject: Re: Bug#881110: cacti: CVE-2017-16641: arbitrary execution of os commands via path_rrdtool parameter in an action=save request

Date: Fri, 10 Nov 2017 19:47:22 +0100

[Message part 1 (text/plain, inline)]

Control: found 881110 0.8.8a+dfsg-5+deb7u10

On 07-11-17 22:17, Salvatore Bonaccorso wrote:
> Please adjust the affected versions in the BTS as needed, only did
> check unstable's version for now source-wise.

All versions in Debian are affected.

Unfortunately the upstream commit contains much unneeded changes to fix
the issue. Additionally for pre-buster fixes, the code in settings.php
is seriously different.

Paul

[signature.asc (application/pgp-signature, attachment)]

Message #19 received at 881110@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: 881110@bugs.debian.org

Cc: Debian Security <security@debian.org>

Subject: Re: Bug#881110: cacti: CVE-2017-16641: arbitrary execution of os commands via path_rrdtool parameter in an action=save request

Date: Fri, 10 Nov 2017 21:26:17 +0100

[Message part 1 (text/plain, inline)]

Control: severity -1 important
Control: tags -1 pending

Hi all,

On 07-11-17 22:17, Salvatore Bonaccorso wrote:
> Severity: grave
> CVE-2017-16641[0]:
> | lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators
> | to execute arbitrary OS commands via the path_rrdtool parameter in an
> | action=save request to settings.php.

Although this is true, and this parameter is not meant to be used like
this, the cacti *admin* has always had this possibility via the "Data
Input Method" freedom, which caused CVE-2009-4112 / bug 561339 to be
raised. I just confirmed that I could indeed still do the via that
(trivial) route.

So just to be clear (and I don't particularly like it), the power of the
cacti *admin* has been long known and has been accepted as unfixed for
multiple Debian releases. Therefor I lower the severity of this bug.

Unfortunately the upstream patch for this bug does not simply apply to
pre 1.x versions of cacti. I am not comfortable (yet) with creating a
patch for those versions, and due to CVE-2009-4112, I don't think it is
worth fixing this in stable and older.

Paul

PS on other option is to raise the severity of 561339 again, but I don't
expect the patch to then miraculously turn up.

[signature.asc (application/pgp-signature, attachment)]

Message #30 received at 881110-close@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: 881110-close@bugs.debian.org

Subject: Bug#881110: fixed in cacti 1.1.27+ds1-3

Date: Tue, 14 Nov 2017 20:49:34 +0000

Source: cacti
Source-Version: 1.1.27+ds1-3

We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 881110@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 14 Nov 2017 20:14:34 +0100
Source: cacti
Binary: cacti
Architecture: source
Version: 1.1.27+ds1-3
Distribution: unstable
Urgency: medium
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description:
 cacti      - web interface for graphing of monitoring systems
Closes: 881110
Changes:
 cacti (1.1.27+ds1-3) unstable; urgency=medium
 .
   * CVE-2017-16641: remote authenticated administrators can execute
     arbitrary os commands via the path_rrdtool parameter in an action=save
     request to settings.php (Closes: #881110)
   * CVE-2017-16660: remote authenticated administrators can conduct Remote
     Code Execution attacks by placing the Log Path under the web root, and
     then making a remote_agent.php request containing PHP code in a
     Client-ip header
   * CVE-2017-16661: remote authenticated administrators can read arbitrary
     files accessible by the web-server user by placing the Log Path into a
     private directory, and then making a clog.php?filename= request
   * CVE-2017-16785: reflected XSS via the PATH_INFO to host.php
     (reintroduction of CVE-2017-15194)
   * Bump standards to 4.1.1
   * Set Priority to optional
Checksums-Sha1:
 6da0c05e6b24552f8e3f4c0d995152531237f5e1 2134 cacti_1.1.27+ds1-3.dsc
 e0d1f509fb465f2c1676b254fc0d5b1362e9f7f5 56092 cacti_1.1.27+ds1-3.debian.tar.xz
Checksums-Sha256:
 9d77784c2545398d29f325c99764b1aebeb8966bb7d12e5c0dda78e7673306f3 2134 cacti_1.1.27+ds1-3.dsc
 519db95eb5fd254f309faad31aaeb2d79fa1b2bbe8a8c604aa8b8fdcc7203f44 56092 cacti_1.1.27+ds1-3.debian.tar.xz
Files:
 2f7335b2759d8227a2b170074abf98de 2134 web optional cacti_1.1.27+ds1-3.dsc
 fd6375c1fc789d1654364421b949f5ac 56092 web optional cacti_1.1.27+ds1-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAloLTQwACgkQnFyZ6wW9
dQpdEQgArlYK+cTh43PDHWpBbVGsg2TSH6vkIPQXUbM10uTcKHvgbd+vF83tYoh4
PQ+KHUImJhDc0Kd6bVfk9TixKG0KAm3FQ4sMleNCtQugoDKeR1qPadEbXlZB1GNp
AqgAUvYfWWPF1u4bi/ZCB+WJULOeiU8J2WNCa64ppbSUpQLy2JD9kHaRuypYw3YQ
8KkC0eY7dTsaDzpjkQOYjZLXKiivvTRDh4oUYJ88mPJDcXIziC2a6in4lWUcQyho
/fker79akY1cL6KDKoOdff8iq86V1h9WD9aLWetZu/SEw96ysWHHvu0fmM9IJmHa
uEs97E9RHMxHHnsik8P970Z1cxUwag==
=x3y5
-----END PGP SIGNATURE-----

Message #35 received at 881110@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Paul Gevers <elbrus@debian.org>

Cc: 881110@bugs.debian.org, Debian Security <security@debian.org>

Subject: Re: Bug#881110: cacti: CVE-2017-16641: arbitrary execution of os commands via path_rrdtool parameter in an action=save request

Date: Mon, 20 Nov 2017 21:30:36 +0100

Hi Paul,

Sorry for the delayed reply.

On Fri, Nov 10, 2017 at 09:26:17PM +0100, Paul Gevers wrote:
> Control: severity -1 important
> Control: tags -1 pending
> 
> Hi all,
> 
> On 07-11-17 22:17, Salvatore Bonaccorso wrote:
> > Severity: grave
> > CVE-2017-16641[0]:
> > | lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators
> > | to execute arbitrary OS commands via the path_rrdtool parameter in an
> > | action=save request to settings.php.
> 
> Although this is true, and this parameter is not meant to be used like
> this, the cacti *admin* has always had this possibility via the "Data
> Input Method" freedom, which caused CVE-2009-4112 / bug 561339 to be
> raised. I just confirmed that I could indeed still do the via that
> (trivial) route.
> 
> So just to be clear (and I don't particularly like it), the power of the
> cacti *admin* has been long known and has been accepted as unfixed for
> multiple Debian releases. Therefor I lower the severity of this bug.
> 
> Unfortunately the upstream patch for this bug does not simply apply to
> pre 1.x versions of cacti. I am not comfortable (yet) with creating a
> patch for those versions, and due to CVE-2009-4112, I don't think it is
> worth fixing this in stable and older.

Ok! Your arguing makes sense to me, and I went ahead to mark the
issue as no-dsa for stretch and jessie. Still if upstream provides
help in adressing any of those two issues would be great to se fixes
at some point e.g. via a point release or picked up in a DSA as well.

Regards,
Salvatore

Message #40 received at 881110@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: Debian Security <security@debian.org>

Cc: 881110@bugs.debian.org

Subject: Re: Bug#881110: cacti: CVE-2017-16641: arbitrary execution of os commands via path_rrdtool parameter in an action=save request

Date: Mon, 20 Nov 2017 22:10:07 +0100

[Message part 1 (text/plain, inline)]

Hi Salvatore,

On 20-11-17 21:30, Salvatore Bonaccorso wrote:
> Sorry for the delayed reply.

NP.

> Ok! Your arguing makes sense to me, and I went ahead to mark the
> issue as no-dsa for stretch and jessie.

Thanks.

> Still if upstream provides
> help in adressing any of those two issues would be great to se fixes
> at some point e.g. via a point release or picked up in a DSA as well.

Sure, will do. I am hoping that upstream will provide a patch for
CVE-2009-4112 in a reasonable time from now. Upstream has really stepped
up since the preparation of 1.x started and they were getting closer to
actually releasing it. If/once that happens, I'll make sure I'll
backport both that patch and the one for this issue, but then it is
worth the effort in my opinion.

Paul

[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.