Detections
Analytics

Ubuntu 16.04 ESM : Cobbler vulnerabilities (USN-6475-1)

critical Nessus Plugin ID 185504

Language:

Synopsis

The remote Ubuntu host is missing one or more security updates.

Description

The remote Ubuntu 16.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6475-1 advisory.

 - Absolute path traversal vulnerability in the web interface in Cobbler 2.4.x through 2.6.x allows remote authenticated users to read arbitrary files via the Kickstart field in a profile. (CVE-2014-3225)

 - Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the add repo component resulting in arbitrary code execution as root user. (CVE-2017-1000469)

 - Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS) vulnerability in cobbler-web that can result in Privilege escalation to admin.. This attack appear to be exploitable via network connectivity. Sending unauthenticated JavaScript payload to the Cobbler XMLRPC API (/cobbler_api). (CVE-2018-1000225)

 - Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation, data manipulation or exfiltration, LDAP credential harvesting. This attack appear to be exploitable via network connectivity. Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931. (CVE-2018-1000226)

 - It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon. (CVE-2018-10931)

 - Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection. (CVE-2021-40323)

 - Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data. (CVE-2021-40324)

 - Cobbler before 3.3.0 allows authorization bypass for modification of settings. (CVE-2021-40325)

 - An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the #from MODULE import substring. (Only lines beginning with #import are blocked.) (CVE-2021-45082)

 - An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local installation. In the case of an easy-to-guess password, it's trivial to obtain the plaintext string. The settings.yaml file contains secrets such as the hashed default password. (CVE-2021-45083)

 - Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2. (CVE-2022-0860)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://ubuntu.com/security/notices/USN-6475-1

Plugin Details

Severity: Critical

ID: 185504

File Name: ubuntu_USN-6475-1.nasl

Version: 1.0

Type: local

Agent: unix

Published: 11/13/2023

Updated: 11/13/2023

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2017-1000469

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2021-40323

Vulnerability Information

CPE: p-cpe:/a:canonical:ubuntu_linux:python-cobbler, p-cpe:/a:canonical:ubuntu_linux:python-koan, p-cpe:/a:canonical:ubuntu_linux:cobbler-web, p-cpe:/a:canonical:ubuntu_linux:cobbler-common, p-cpe:/a:canonical:ubuntu_linux:cobbler, cpe:/o:canonical:ubuntu_linux:16.04:-:esm, p-cpe:/a:canonical:ubuntu_linux:koan

Required KB Items: Host/cpu, Host/Debian/dpkg-l, Host/Ubuntu, Host/Ubuntu/release

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/13/2023

Vulnerability Publication Date: 5/8/2014

Reference Information

CVE: CVE-2014-3225, CVE-2017-1000469, CVE-2018-1000225, CVE-2018-1000226, CVE-2018-10931, CVE-2021-40323, CVE-2021-40324, CVE-2021-40325, CVE-2021-45082, CVE-2021-45083, CVE-2022-0860

USN: 6475-1