An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution.

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5214-1 advisory.

    It was discovered that Cacti was incorrectly validating permissions for user accounts that had been     recently disabled. An authenticated attacker could possibly use this to obtain unauthorized access to     application and system data. (CVE-2020-13230)

    It was discovered that Cacti was incorrectly performing authorization checks in auth_profile.php. A remote     unauthenticated attacker could use this to perform a CSRF attack and set a new admin email or make other     changes. This issue only affected Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-13231)

    It was discovered that Cacti incorrectly handled user provided input sent through request parameters to     the color.php script. A remote authenticated attacker could use this issue to perform SQL injection     attacks. This issue only affected Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-14295)

    It was discovered that Cacti did not properly escape file input fields when performing template import     operations for various themes. An authenticated attacker could use this to perform XSS attacks. This issue     only affected Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-14424)

    It was discovered that Cacti incorrectly handled user provided input sent through request parameters to     the data_debug.php script. A remote authenticated attacker could use this issue to perform SQL injection     attacks. This issue only affected Ubuntu 20.04 ESM. (CVE-2020-35701)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Cati team reports :

Due to a lack of validation, data_debug.php can be the source of a SQL injection.

This update for cacti, cacti-spine fixes the following issues :

cacti-spine was updated to 1.2.17 :

  - Avoid triggering DDos detection in firewalls on large     systems

  - Use mysql reconnect option properly

  - Fix possible creashes in various operations

  - Fix remote data collectors pushing too much data to main     when performing diagnostics

  - Make spine more responsive when remote connection is     down

  - Fix various MySQL issues

  - Make spine immune to DST changes

cacti-spine 1.2.16 :

  - Some developer debug log messages falsely labeled as     WARNINGS

  - Remove the need of the dos2unix program

  - Fix Spine experiencing MySQL socket error 2002 under     load

  - Under heavy load MySQL/MariaDB return 2006 and 2013     errors on query

  - Add backtrace output to stderr for signals

  - Add Data Source turnaround time to debug output

cacti-spine 1.2.15 :

  - Special characters may not always be ignored properly

cacti was updated to 1.2.17 :

  - Fix incorrect handling of fields led to potential XSS     issues

  - CVE-2020-35701: Fix SQL Injection vulnerability     (boo#1180804)

  - Fix various XSS issues with HTML Forms handling

  - Fix handling of Daylight Saving Time changes

  - Multiple fixes and extensions to plugins

  - Fix multiple display, export, and input validation     issues

  - SNMPv3 Password field was not correctly limited

  - Improved regular expression handling for searcu

  - Improved support for RRDproxy

  - Improved behavior on large systems

  - MariaDB/MysQL: Support persistent connections and     improve multiple operations and options

  - Add Theme 'Midwinter'

  - Modify automation to test for data before creating     graphs

  - Add hooks for plugins to show customize graph source and     customize template url

  - Allow CSRF security key to be refreshed at command line

  - Allow remote pollers statistics to be cleared

  - Allow user to be automatically logged out after admin     defined period

  - When replicating, ensure Cacti can detect and verify     replica servers

The remote host is affected by the vulnerability described in GLSA-202101-31 (Cacti: Remote code execution)

    The side_id parameter in data_debug.php does not properly verify input       allowing SQL injection.
  Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the process or cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Severity
183149	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM : Cacti vulnerabilities (USN-5214-1)	Nessus	Ubuntu Local Security Checks	high
151007	FreeBSD : cacti -- SQL Injection was possible due to incorrect validation order (e4cd0b38-c9f9-11eb-87e1-08002750c711)	Nessus	FreeBSD Local Security Checks	high
149884	openSUSE Security Update : cacti / cacti-spine (openSUSE-2021-755)	Nessus	SuSE Local Security Checks	high
145473	GLSA-202101-31 : Cacti: Remote code execution	Nessus	Gentoo Local Security Checks	high

Detections

Analytics

CVE-2020-35701

high

Tenable Plugins

high

high

high

high