The remote Ubuntu 16.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6475-1 advisory.
Absolute path traversal vulnerability in the web interface in Cobbler 2.4.x through 2.6.x allows remote authenticated users to read arbitrary files via the Kickstart field in a profile. (CVE-2014-3225)
Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the add repo component resulting in arbitrary code execution as root user. (CVE-2017-1000469)
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS) vulnerability in cobbler-web that can result in Privilege escalation to admin… This attack appear to be exploitable via network connectivity. Sending unauthenticated JavaScript payload to the Cobbler XMLRPC API (/cobbler_api). (CVE-2018-1000225)
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation, data manipulation or exfiltration, LDAP credential harvesting. This attack appear to be exploitable via network connectivity. Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931. (CVE-2018-1000226)
It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon. (CVE-2018-10931)
Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection. (CVE-2021-40323)
Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data. (CVE-2021-40324)
Cobbler before 3.3.0 allows authorization bypass for modification of settings. (CVE-2021-40325)
An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the #from MODULE import substring. (Only lines beginning with #import are blocked.) (CVE-2021-45082)
An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local installation. In the case of an easy-to-guess password, it’s trivial to obtain the plaintext string. The settings.yaml file contains secrets such as the hashed default password. (CVE-2021-45083)
Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2. (CVE-2022-0860)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-6475-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##
include('compat.inc');
if (description)
{
script_id(185504);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/13");
script_cve_id(
"CVE-2014-3225",
"CVE-2017-1000469",
"CVE-2018-10931",
"CVE-2018-1000225",
"CVE-2018-1000226",
"CVE-2021-40323",
"CVE-2021-40324",
"CVE-2021-40325",
"CVE-2021-45082",
"CVE-2021-45083",
"CVE-2022-0860"
);
script_xref(name:"USN", value:"6475-1");
script_name(english:"Ubuntu 16.04 ESM : Cobbler vulnerabilities (USN-6475-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in
the USN-6475-1 advisory.
- Absolute path traversal vulnerability in the web interface in Cobbler 2.4.x through 2.6.x allows remote
authenticated users to read arbitrary files via the Kickstart field in a profile. (CVE-2014-3225)
- Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the add repo component
resulting in arbitrary code execution as root user. (CVE-2017-1000469)
- Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least
2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS)
vulnerability in cobbler-web that can result in Privilege escalation to admin.. This attack appear to be
exploitable via network connectivity. Sending unauthenticated JavaScript payload to the Cobbler XMLRPC
API (/cobbler_api). (CVE-2018-1000225)
- Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least
2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability
in XMLRPC API (/cobbler_api) that can result in Privilege escalation, data manipulation or exfiltration,
LDAP credential harvesting. This attack appear to be exploitable via network connectivity. Taking
advantage of improper validation of security tokens in API endpoints. Please note this is a different
issue than CVE-2018-10931. (CVE-2018-1000226)
- It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A
remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files
to arbitrary location in the context of the daemon. (CVE-2018-10931)
- Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that
logs to the logfile for template injection. (CVE-2021-40323)
- Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data. (CVE-2021-40324)
- Cobbler before 3.3.0 allows authorization bypass for modification of settings. (CVE-2021-40325)
- An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function
check_for_invalid_imports can allow Cheetah code to import Python modules via the #from MODULE import
substring. (Only lines beginning with #import are blocked.) (CVE-2021-45082)
- An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those
files contain some sensitive information that can be exposed to a local user who has non-privileged access
to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local
installation. In the case of an easy-to-guess password, it's trivial to obtain the plaintext string. The
settings.yaml file contains secrets such as the hashed default password. (CVE-2021-45083)
- Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2. (CVE-2022-0860)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-6475-1");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-1000469");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2021-40323");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/05/08");
script_set_attribute(attribute:"patch_publication_date", value:"2023/11/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/13");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:esm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cobbler");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cobbler-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cobbler-web");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:koan");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python-cobbler");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python-koan");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var pkgs = [
{'osver': '16.04', 'pkgname': 'cobbler', 'pkgver': '2.4.1-0ubuntu2+esm1'},
{'osver': '16.04', 'pkgname': 'cobbler-common', 'pkgver': '2.4.1-0ubuntu2+esm1'},
{'osver': '16.04', 'pkgname': 'cobbler-web', 'pkgver': '2.4.1-0ubuntu2+esm1'},
{'osver': '16.04', 'pkgname': 'koan', 'pkgver': '2.4.1-0ubuntu2+esm1'},
{'osver': '16.04', 'pkgname': 'python-cobbler', 'pkgver': '2.4.1-0ubuntu2+esm1'},
{'osver': '16.04', 'pkgname': 'python-koan', 'pkgver': '2.4.1-0ubuntu2+esm1'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var osver = NULL;
var pkgname = NULL;
var pkgver = NULL;
if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
if (osver && pkgname && pkgver) {
if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : ubuntu_report_get()
);
exit(0);
}
else
{
var tested = ubuntu_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cobbler / cobbler-common / cobbler-web / koan / python-cobbler / etc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | 16.04 | cpe:/o:canonical:ubuntu_linux:16.04:-:esm |
canonical | ubuntu_linux | cobbler | p-cpe:/a:canonical:ubuntu_linux:cobbler |
canonical | ubuntu_linux | cobbler-common | p-cpe:/a:canonical:ubuntu_linux:cobbler-common |
canonical | ubuntu_linux | cobbler-web | p-cpe:/a:canonical:ubuntu_linux:cobbler-web |
canonical | ubuntu_linux | koan | p-cpe:/a:canonical:ubuntu_linux:koan |
canonical | ubuntu_linux | python-cobbler | p-cpe:/a:canonical:ubuntu_linux:python-cobbler |
canonical | ubuntu_linux | python-koan | p-cpe:/a:canonical:ubuntu_linux:python-koan |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3225
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000469
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000225
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000226
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10931
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40323
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40324
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40325
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45082
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45083
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0860
ubuntu.com/security/notices/USN-6475-1