YsfC458B868-63DF-414E-AF10-47E3745CAA1DImproper Authorization
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
50.7%
Description
When configuring cobbler-web to authentificate via PAM. The authorization of a account validity is missing. Therefore expired accounts can still login.
Proof of Concept
Enable authn_pam in the modules.conf
Create a testuser to login
$ useradd expired_user
$ passwd expired_user
# 12345
$ chage -E0 expired_user
Login via cobbler-web and see that it works although you don't have any privileges anymore.
Impact
Since disabling an account still would allow login via ssh-keys or alike, it is common usage to expire an PAM account. Therefore the PAM library demands to check the handle with pam_acct_mgmt() after successful pam_authenticate()
After successfull authentication, the authorization of the user is not checked via pam_acct_mgmt(). This allows access to accounts that have been expired or have expired passwords. Both should be declined access by PAM convention. Depending on how cobbler is configured this can become pretty severe. You don’t revoke privileges for an account without a reason.
Related
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
50.7%