Skip to content

fix(security): forward-verify PTR result in remote_client_authorized() (1.2.x)#6968

Merged
TheWitness merged 2 commits intoCacti:1.2.xfrom
somethingwithproof:fix/remote-agent-dns-auth-1.2.x
Apr 5, 2026
Merged

fix(security): forward-verify PTR result in remote_client_authorized() (1.2.x)#6968
TheWitness merged 2 commits intoCacti:1.2.xfrom
somethingwithproof:fix/remote-agent-dns-auth-1.2.x

Conversation

@somethingwithproof
Copy link
Copy Markdown
Contributor

@somethingwithproof somethingwithproof commented Apr 5, 2026

Summary

  • Add forward DNS verification after gethostbyaddr() in remote_client_authorized()
  • Reject requests where the PTR hostname does not resolve back to the client IP

Backport of #6951. An attacker with PTR record control can spoof a trusted poller hostname to bypass remote agent authorization.

Test plan

  • Verify remote poller communication still works with correct DNS
  • Confirm spoofed PTR records are rejected with a WARNING log entry

Copilot AI review requested due to automatic review settings April 5, 2026 01:39
Copilot AI reviewed Apr 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens remote_client_authorized() in Cacti’s remote agent endpoint to mitigate a reverse-DNS (PTR) spoofing authorization bypass by adding a forward-DNS verification step after gethostbyaddr().

Changes:

  • Perform a forward DNS lookup on the PTR hostname and reject authorization if it does not resolve back to the client IP.
  • Add a WARNING auth log entry for PTR/forward mismatches.

TheWitness
TheWitness requested changes Apr 5, 2026
View reviewed changes
@somethingwithproof somethingwithproof force-pushed the fix/remote-agent-dns-auth-1.2.x branch 2 times, most recently from 614e43d to 5533e6f Compare April 5, 2026 04:08
@somethingwithproof
fix(security): forward-verify PTR result in remote_client_authorized()
8ce259c 
Use dns_get_record(DNS_A + DNS_AAAA) for forward verification to
support dual-stack and round-robin DNS. Sanitize PTR hostname in
log output. Use SECURITY logging category.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
@somethingwithproof somethingwithproof force-pushed the fix/remote-agent-dns-auth-1.2.x branch from 5533e6f to 8ce259c Compare April 5, 2026 04:12
@somethingwithproof somethingwithproof mentioned this pull request Apr 5, 2026
Merged
2 tasks
@TheWitness TheWitness merged commit 1eed9d5 into Cacti:1.2.x Apr 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@TheWitness TheWitness TheWitness approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@somethingwithproof @TheWitness