Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusUbuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-6475-1.NASL
HistoryNov 13, 2023 - 12:00 a.m.

Ubuntu 16.04 ESM : Cobbler vulnerabilities (USN-6475-1)

2023-11-1300:00:00
Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
15
ubuntu 16.04
esm
cobbler vulnerabilities
usn-6475-1
command injection
cross site scripting
incorrect access control
remote code execution
authorization bypass
nessus scanner

8.5 High

AI Score

Confidence

High

JSON

The remote Ubuntu 16.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6475-1 advisory.

  • Absolute path traversal vulnerability in the web interface in Cobbler 2.4.x through 2.6.x allows remote authenticated users to read arbitrary files via the Kickstart field in a profile. (CVE-2014-3225)

  • Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the add repo component resulting in arbitrary code execution as root user. (CVE-2017-1000469)

  • Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS) vulnerability in cobbler-web that can result in Privilege escalation to admin… This attack appear to be exploitable via network connectivity. Sending unauthenticated JavaScript payload to the Cobbler XMLRPC API (/cobbler_api). (CVE-2018-1000225)

  • Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation, data manipulation or exfiltration, LDAP credential harvesting. This attack appear to be exploitable via network connectivity. Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931. (CVE-2018-1000226)

  • It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon. (CVE-2018-10931)

  • Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection. (CVE-2021-40323)

  • Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data. (CVE-2021-40324)

  • Cobbler before 3.3.0 allows authorization bypass for modification of settings. (CVE-2021-40325)

  • An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the #from MODULE import substring. (Only lines beginning with #import are blocked.) (CVE-2021-45082)

  • An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local installation. In the case of an easy-to-guess password, it’s trivial to obtain the plaintext string. The settings.yaml file contains secrets such as the hashed default password. (CVE-2021-45083)

  • Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2. (CVE-2022-0860)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-6475-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##

include('compat.inc');

if (description)
{
  script_id(185504);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/13");

  script_cve_id(
    "CVE-2014-3225",
    "CVE-2017-1000469",
    "CVE-2018-10931",
    "CVE-2018-1000225",
    "CVE-2018-1000226",
    "CVE-2021-40323",
    "CVE-2021-40324",
    "CVE-2021-40325",
    "CVE-2021-45082",
    "CVE-2021-45083",
    "CVE-2022-0860"
  );
  script_xref(name:"USN", value:"6475-1");

  script_name(english:"Ubuntu 16.04 ESM : Cobbler vulnerabilities (USN-6475-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in
the USN-6475-1 advisory.

  - Absolute path traversal vulnerability in the web interface in Cobbler 2.4.x through 2.6.x allows remote
    authenticated users to read arbitrary files via the Kickstart field in a profile. (CVE-2014-3225)

  - Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the add repo component
    resulting in arbitrary code execution as root user. (CVE-2017-1000469)

  - Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least
    2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS)
    vulnerability in cobbler-web that can result in Privilege escalation to admin.. This attack appear to be
    exploitable via network connectivity. Sending unauthenticated JavaScript payload to the Cobbler XMLRPC
    API (/cobbler_api). (CVE-2018-1000225)

  - Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least
    2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability
    in XMLRPC API (/cobbler_api) that can result in Privilege escalation, data manipulation or exfiltration,
    LDAP credential harvesting. This attack appear to be exploitable via network connectivity. Taking
    advantage of improper validation of security tokens in API endpoints. Please note this is a different
    issue than CVE-2018-10931. (CVE-2018-1000226)

  - It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A
    remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files
    to arbitrary location in the context of the daemon. (CVE-2018-10931)

  - Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that
    logs to the logfile for template injection. (CVE-2021-40323)

  - Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data. (CVE-2021-40324)

  - Cobbler before 3.3.0 allows authorization bypass for modification of settings. (CVE-2021-40325)

  - An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function
    check_for_invalid_imports can allow Cheetah code to import Python modules via the #from MODULE import
    substring. (Only lines beginning with #import are blocked.) (CVE-2021-45082)

  - An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those
    files contain some sensitive information that can be exposed to a local user who has non-privileged access
    to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local
    installation. In the case of an easy-to-guess password, it's trivial to obtain the plaintext string. The
    settings.yaml file contains secrets such as the hashed default password. (CVE-2021-45083)

  - Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2. (CVE-2022-0860)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-6475-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-1000469");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2021-40323");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/05/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/11/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:esm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cobbler");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cobbler-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cobbler-web");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:koan");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python-cobbler");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python-koan");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var pkgs = [
    {'osver': '16.04', 'pkgname': 'cobbler', 'pkgver': '2.4.1-0ubuntu2+esm1'},
    {'osver': '16.04', 'pkgname': 'cobbler-common', 'pkgver': '2.4.1-0ubuntu2+esm1'},
    {'osver': '16.04', 'pkgname': 'cobbler-web', 'pkgver': '2.4.1-0ubuntu2+esm1'},
    {'osver': '16.04', 'pkgname': 'koan', 'pkgver': '2.4.1-0ubuntu2+esm1'},
    {'osver': '16.04', 'pkgname': 'python-cobbler', 'pkgver': '2.4.1-0ubuntu2+esm1'},
    {'osver': '16.04', 'pkgname': 'python-koan', 'pkgver': '2.4.1-0ubuntu2+esm1'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var osver = NULL;
  var pkgname = NULL;
  var pkgver = NULL;
  if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
  if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
  if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
  if (osver && pkgname && pkgver) {
    if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  var tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cobbler / cobbler-common / cobbler-web / koan / python-cobbler / etc');
}
VendorProductVersionCPE
canonicalubuntu_linux16.04cpe:/o:canonical:ubuntu_linux:16.04:-:esm
canonicalubuntu_linuxcobblerp-cpe:/a:canonical:ubuntu_linux:cobbler
canonicalubuntu_linuxcobbler-commonp-cpe:/a:canonical:ubuntu_linux:cobbler-common
canonicalubuntu_linuxcobbler-webp-cpe:/a:canonical:ubuntu_linux:cobbler-web
canonicalubuntu_linuxkoanp-cpe:/a:canonical:ubuntu_linux:koan
canonicalubuntu_linuxpython-cobblerp-cpe:/a:canonical:ubuntu_linux:python-cobbler
canonicalubuntu_linuxpython-koanp-cpe:/a:canonical:ubuntu_linux:python-koan

Related

ubuntu 1
osv 26
openvas 30
suse 5
nessus 17
fedora 18
prion 11
nuclei 2
cve 11
ubuntucve 11
github 11
gitlab 11
redhatcve 10
cnvd 6
veracode 4
securityvulns 3
redhat 1
packetstorm 1
huntr 1
ubuntu
ubuntu
Cobbler vulnerabilities
2023-11-13 00:00:00
osv
osv
cobbler vulnerabilities
2023-11-13 15:04:17
Cobbler Improper Validation of Security Tokens
2022-05-13 01:48:35
Cobbler vulnerable to arbitrary code execution
2022-05-14 03:49:57
openvas
openvas
Ubuntu: Security Advisory (USN-6475-1)
2023-11-14 00:00:00
Cobbler < 3.3.0 Multiple Vulnerabilities
2022-02-23 00:00:00
openSUSE: Security Advisory for cobbler (openSUSE-SU-2018:2590-1)
2018-09-04 00:00:00
suse
suse
Security update for cobbler (important)
2022-03-01 00:00:00
Security update for cobbler (important)
2018-09-03 15:07:54
Security update for cobbler (moderate)
2021-01-11 00:00:00
nessus
nessus
openSUSE Security Update : cobbler (openSUSE-2018-952)
2018-09-04 00:00:00
openSUSE Security Update : cobbler (openSUSE-2021-46)
2021-01-25 00:00:00
Fedora 29 : cobbler (2018-22c609e92a)
2019-01-03 00:00:00
fedora
fedora
[SECURITY] Fedora 33 Update: cobbler-3.2.2-2.fc33
2021-10-02 01:10:24
[SECURITY] Fedora 34 Update: cobbler-3.2.2-2.fc34
2021-10-02 01:28:42
[SECURITY] Fedora 35 Update: cobbler-3.2.2-2.fc35
2021-09-29 00:21:55
prion
prion
Design/Logic Flaw
2018-08-20 20:29:00
Design/Logic Flaw
2021-10-04 06:15:00
Command injection
2018-01-03 20:29:00
nuclei
nuclei
Cobbler - Authentication Bypass
2022-02-14 17:20:32
Cobbler <3.3.0 - Remote Code Execution
2022-02-14 17:20:32
cve
cve
CVE-2018-1000226
2018-08-20 20:29:00
CVE-2021-45082
2022-02-19 00:15:00
CVE-2017-1000469
2018-01-03 20:29:00
ubuntucve
ubuntucve
CVE-2018-1000226
2018-08-20 00:00:00
CVE-2018-1000225
2018-08-20 00:00:00
CVE-2017-1000469
2018-01-03 00:00:00
github
github
Cobbler Improper Validation of Security Tokens
2022-05-13 01:48:35
Cobbler vulnerable to arbitrary code execution
2022-05-14 03:49:57
Cobbler before 3.3.0 allows authorization bypass for modification of settings.
2021-10-05 17:53:29
gitlab
gitlab
Incorrect Permission Assignment for Critical Resource
2022-05-13 00:00:00
Improper Neutralization of Special Elements used in a Command ('Command Injection')
2022-02-20 00:00:00
Improper Input Validation
2022-05-14 00:00:00
redhatcve
redhatcve
CVE-2018-1000225
2018-08-22 07:49:16
CVE-2018-1000226
2018-08-22 07:49:00
CVE-2017-1000469
2018-01-09 03:19:42
cnvd
cnvd
Cobbler authorization issue vulnerability
2021-10-08 00:00:00
Cobbler Command Injection Vulnerability (CNVD-2022-18324)
2022-02-22 00:00:00
Cobbler has an unspecified vulnerability (CNVD-2022-18325)
2022-02-22 00:00:00
veracode
veracode
Information Disclosure
2022-02-21 05:46:45
Privilege Escalation
2022-02-21 14:32:23
Arbitrary File Upload
2019-01-15 09:24:32
securityvulns
securityvulns
FD - Cobbler Arbitrary File Read CVE-2014-3225
2014-05-15 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2014-05-10 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2014-05-15 00:00:00
redhat
redhat
(RHSA-2018:2372) Critical: cobbler security update
2018-08-09 15:32:57
packetstorm
packetstorm
Cobbler 2.6.0 Arbitrary File Read
2014-05-13 00:00:00
huntr
huntr
Improper Authorization
2022-03-02 15:26:14

8.5 High

AI Score

Confidence

High

JSON
Related for UBUNTU_USN-6475-1.NASL
ubuntu1osv26openvas30suse5nessus17fedora18prion11nuclei2cve11ubuntucve11github11gitlab11redhatcve10cnvd6veracode4securityvulns3redhat1packetstorm1huntr1