cbcvebase.
CVE-2018-1000226
published 2018-08-20

CVE-2018-1000226: Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable…

PriorityP270critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
12.48%
95.7th percentile
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation, data manipulation or exfiltration, LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.

Affected

3 ranges
VendorProductVersion rangeFixed in
cobbler_projectcobbler>= 0 < 3.0.03.0.0
cobbler_projectcobbler>= 0 < 2.4.1-0ubuntu2+esm12.4.1-0ubuntu2+esm1
cobblerdcobbler>= 2.0.0

Detection & IOCsextracted from sources · hover to see the quote

url/cobbler_api
command_CobblerXMLRPCInterface__make_token
othershodan:http.title:"cobbler web interface"
  • Detect unauthenticated POST requests to /cobbler_api containing the mangled method name '_CobblerXMLRPCInterface__make_token' — this is the name-mangled Python private method being called directly to forge a token without credentials.
  • Alert on POST requests to /cobbler_api with Content-Type: text/xml that do NOT return a faultCode element in the response body — a successful auth bypass will return a valid token (base64-like string matching [a-zA-Z0-9].+==) with HTTP 200.
  • Monitor calls to the modify_settings() XMLRPC method on /cobbler_api without a valid preceding authentication token — this is identified as the most sensitive unauthenticated-accessible function.
  • Inspect XMLRPC API traffic to /cobbler_api for any method calls where the supplied security token is not validated — the vulnerability affects many endpoints, not just token generation.
  • ·Vulnerability is confirmed in Cobbler 2.6.11+ but code inspection suggests 2.0.0+ or older may also be affected — detection should not be scoped only to 2.6.11+.
  • ·This is a distinct vulnerability from CVE-2018-10931 — detection rules must not conflate the two; both affect /cobbler_api but via different weaknesses.
  • ·Red Hat Enterprise Satellite 5 ships cobbler-2.0.7 which lacks modify_settings(); the severity is considered Medium for that specific package version, so detection priority should be adjusted accordingly.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu4.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.