SNS Vulnerability

Cacti "graph_template" Parameter "graphs_new.php" SQL Injection Vulnerability

Description

(#A SQL injection vulnerability has been identified in Cacti.#A remote attacker could exploit it by using URLs that include specially crafted SQL statements in order to obtain sensitive information from the database.##The vulnerability is due to an improper validation of user-supplied input used in SQL queries in the "graph_template" parameter of the "graphs_new.php" page.##A proof of concept is available.##The cacti packages provided by Debian Wheezy 7 and Jessie 8 are vulnerable.#Updated, 10/04/2016:#An exploitation code is available.)

Vulnerable Products

Vulnerable OS:
FreeBSD (FreeBSD) - AllGNU/Linux (Debian) - 7, 8openSUSE (SUSE) - 13.2, Leap 42.1Vulnerable Software:
Cacti (The Cacti Group) - 0.8.8g

Solution

Fixed cacti packages for Debian Jessie 8 are available.

CVE

CVE-2016-3659

References

- Cacti : 0002673: [CVE-2016-3659]Cacti graph_view.php SQL Injection Vulnerability
http://bugs.cacti.net/view.php?id=2673
- Debian Security Tracker : cacti
https://security-tracker.debian.org/tracker/CVE-2016-3659
- Cacti : Release Notes - 0.8.8h
http://www.cacti.net/release_notes_0_8_8h.php
- VuXML : cacti -- multiple vulnerabilities
http://www.vuxml.org/freebsd/6167b341-250c-11e6-a6fb-003048f2e514.html
- openSUSE-SU-2016:1328-1 : Security update for cacti
https://lists.opensuse.org/opensuse-updates/2016-05/msg00074.html
- DLA 560-1 : cacti security update
https://lists.debian.org/debian-lts-announce/2016/07/msg00022.html
- Debian : Updated Debian 8: 8.6 released
https://www.debian.org/News/2016/20160917

Vulnerability Manager Detection

IPS Protection

ASQ Engine alarm	Available Since
SQL injection Prevention - GET : suspicious OR statement in URL	3.2.0
SQL injection Prevention - GET : suspicious combination of 'OR' or 'AND' statements in URL	3.2.0
SQL injection Prevention - GET : suspicious CREATE statement in URL	3.2.0
SQL injection Prevention - GET : suspicious CAST statement in URL	3.2.0
SQL injection Prevention - GET : suspicious OPENROWSET statement in URL	3.2.0
SQL injection Prevention - GET : suspicious DECLARE statement in URL	3.2.0
SQL injection Prevention - GET : suspicious OPENQUERY statement in URL	3.2.0
SQL injection Prevention - GET : suspicious shutdown statement in URL	3.2.0
SQL injection Prevention - GET : suspicious UNION SELECT statement in URL	3.2.0
SQL injection Prevention - GET : possible database version probing	3.2.0
SQL injection Prevention - GET : suspicious UPDATE SET statement in URL	3.2.0
SQL injection Prevention - GET : suspicious SELECT statement in URL	3.2.0
SQL injection Prevention - GET : suspicious INSERT statement in URL	3.2.0
SQL injection Prevention - GET : suspicious DROP statement in URL	3.2.0
SQL injection Prevention - GET : suspicious EXEC statement in URL	3.2.0
SQL injection Prevention - GET : block comment delimiters in URL	3.2.0
SQL injection Prevention - POST : suspicious UPDATE statement in data	5.0.0
SQL injection Prevention - POST : suspicious SELECT statement in data	5.0.0
SQL injection Prevention - POST : suspicious DECLARE statement in data	5.0.0
SQL injection Prevention - POST : suspicious OPENROWSET statement in data	5.0.0
SQL injection Prevention - POST : suspicious OPENQUERY statement in data	5.0.0
SQL injection Prevention - GET : suspicious combination of 'select' and 'sleep' statements in URL	5.0.0
SQL injection Prevention - POST : suspicious CAST statement in data	5.0.0
SQL injection Prevention - GET : Evasion attempt with CAST and EXEC statements	5.0.0
SQL injection Prevention - POST : suspicious EXEC statement in data	5.0.0
SQL injection Prevention - POST : suspicious CREATE statement in data	5.0.0
SQL injection Prevention - POST : suspicious INSERT statement in data	5.0.0
SQL injection Prevention - GET : Authentication bypass attempt with OR statement	5.0.0
SQL injection Prevention - POST : suspicious DROP statement in data	5.0.0
SQL injection Prevention - POST : suspicious HAVING statement in data	5.0.0
SQL injection Prevention - POST : suspicious UNION statement in data	5.0.0
SQL injection Prevention - POST : suspicious OR statement in data	5.0.0
SQL injection Prevention - POST : possible version probing in data	5.0.0

Risk level

Moderate

Vulnerability First Public Report Date

2016-03-24

Target Type

Server

Possible exploit

Remote