CVE-2018-10931
published 2018-08-09CVE-2018-10931: It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw…
PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
67.86%
99.2th percentile
It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cobbler_project | cobbler | >= 0 < 3.0.0 | 3.0.0 |
| cobbler_project | cobbler | >= 0 < 2.4.1-0ubuntu2+esm1 | 2.4.1-0ubuntu2+esm1 |
| cobbler_project | cobbler | >= 2.6.0 < 3.0.0 | 3.0.0 |
| cobbler_project | cobbler | 2.6.0 – 2.6.11 | — |
| cobblerd | cobbler | >= 2.0.0 | — |
| redhat | satellite | — | — |
| redhat | satellite | — | — |
| redhat | satellite | — | — |
| the_cobbler_project | cobbler | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /cobbler_api HTTP/1.1
Content-Type: text/xml
_CobblerXMLRPCInterface__make_token
cobbler
- →Monitor for unauthenticated POST requests to /cobbler_api containing the method name '_CobblerXMLRPCInterface__make_token', which indicates exploitation of the exposed private XMLRPC interface. ↗
- →Alert on XMLRPC responses to /cobbler_api that do NOT contain 'faultCode' and DO contain a base64-like token string (matching regex `.*[a-zA-Z0-9].+==`), indicating a successful authentication bypass.
- →Use Shodan/FOFA/Google dorks to identify exposed Cobbler web interfaces as attack surface: shodan 'http.title:"cobbler web interface"', fofa 'title="cobbler web interface"', Google 'intitle:"cobbler web interface"'.
- →CVE-2018-10931 specifically involves CobblerXMLRPCInterface exporting ALL methods (including private ones prefixed with '__') over XMLRPC without authentication; monitor for XMLRPC calls using double-underscore mangled method names against /cobbler_api. ↗
- ·SELinux enforcement may limit the impact of file-upload exploitation but does not fully mitigate the vulnerability. ↗
- ·CVE-2018-10931 and CVE-2018-1000226 are distinct issues against the same endpoint (/cobbler_api); CVE-2018-10931 is about full private method exposure, while CVE-2018-1000226 is about missing token validation on specific API endpoints. ↗
- ·The most sensitive unauthenticated function in CVE-2018-1000226 is modify_settings(), which is absent in cobbler 2.0.7 (shipped with Red Hat Enterprise Satellite 5), reducing severity for that specific version. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu4.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
cobbler vulnerabilities
osv·2023-11-13·CVSS 4.0
CVE-2014-3225 [MEDIUM] cobbler vulnerabilities
cobbler vulnerabilities
It was discovered that Cobbler did not properly handle user input, which
could result in an absolute path traversal. An attacker could possibly
use this issue to read arbitrary files. (CVE-2014-3225)
It was discovered that Cobbler did not properly handle user input, which
could result in command injection. An attacker could possibly use this
issue to execute arbitrary code with high privileges.
(CVE-2017-1000469, CVE-2021-45082)
It was discovered that Cobbler did not properly hide private functions in
a class. A remote attacker could possibly use this issue to gain high
privileges and upload files to an arbitrary location.
(CVE-2018-10931, CVE-2018-1000225, CVE-2018-1000226)
Nicolas Chatelain discovered that Cobbler did not properly handle user
input, which coul
OSV
Cobbler has Exposed Dangerous Method or Function
osv·2022-05-13
CVE-2018-10931 [CRITICAL] Cobbler has Exposed Dangerous Method or Function
Cobbler has Exposed Dangerous Method or Function
It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon.
GHSA
Cobbler has Exposed Dangerous Method or Function
ghsa·2022-05-13
CVE-2018-10931 [CRITICAL] CWE-749 Cobbler has Exposed Dangerous Method or Function
Cobbler has Exposed Dangerous Method or Function
It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon.
GHSA
Cobbler Improper Validation of Security Tokens
ghsa·2022-05-13·CVSS 9.8
CVE-2018-1000226 [CRITICAL] CWE-732 Cobbler Improper Validation of Security Tokens
Cobbler Improper Validation of Security Tokens
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation, data manipulation or exfiltration, LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.
OSV
Cobbler Improper Validation of Security Tokens
osv·2022-05-13·CVSS 9.8
CVE-2018-1000226 [CRITICAL] Cobbler Improper Validation of Security Tokens
Cobbler Improper Validation of Security Tokens
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation, data manipulation or exfiltration, LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.
OSV
CVE-2018-1000226: Cobbler version Verified as present in Cobbler versions 2
osv·2018-08-20·CVSS 9.8
CVE-2018-1000226 [CRITICAL] CVE-2018-1000226: Cobbler version Verified as present in Cobbler versions 2
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation, data manipulation or exfiltration, LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.
OSV
CVE-2018-10931: It was found that cobbler 2
osv·2018-08-09·CVSS 9.8
CVE-2018-10931 [CRITICAL] CVE-2018-10931: It was found that cobbler 2
It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon.
Ubuntu
Cobbler vulnerabilities
vendor_ubuntu·2023-11-13·CVSS 4.0
CVE-2021-40323 [MEDIUM] Cobbler vulnerabilities
Title: Cobbler vulnerabilities
Summary: Several security issues were fixed in Cobbler.
It was discovered that Cobbler did not properly handle user input, which
could result in an absolute path traversal. An attacker could possibly
use this issue to read arbitrary files. (CVE-2014-3225)
It was discovered that Cobbler did not properly handle user input, which
could result in command injection. An attacker could possibly use this
issue to execute arbitrary code with high privileges.
(CVE-2017-1000469, CVE-2021-45082)
It was discovered that Cobbler did not properly hide private functions in
a class. A remote attacker could possibly use this issue to gain high
privileges and upload files to an arbitrary location.
(CVE-2018-10931, CVE-2018-1000225, CVE-2018-1000226)
Nicolas Chatelain discov
Red Hat
cobbler: CobblerXMLRPCInterface exports all its methods over XMLRPC
vendor_redhat·2018-08-09·CVSS 9.8
CVE-2018-10931 [CRITICAL] CWE-749 cobbler: CobblerXMLRPCInterface exports all its methods over XMLRPC
cobbler: CobblerXMLRPCInterface exports all its methods over XMLRPC
It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon.
An API-exposure flaw was found in cobbler, where it exported CobblerXMLRPCInterface private functions over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain important privileges within cobbler, as well as upload files to an arbitrary location in the daemon context.
Mitigation: If SELinux is enabled, it might prevent some locations from accepting uploaded files from the attacker. This prevents some basic attacks allowing remote code executi
Red Hat
cobbler: XMLRPC API endpoints are not correctly validating security tokens
vendor_redhat·2018-08-02·CVSS 9.8
CVE-2018-1000226 [CRITICAL] CWE-306 cobbler: XMLRPC API endpoints are not correctly validating security tokens
cobbler: XMLRPC API endpoints are not correctly validating security tokens
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation, data manipulation or exfiltration, LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.
It was found that the cobbler API did not validate the client's token for all methods. An unauthenticated attacker could use this flaw to call sensitive methods without having to
No detection rules found.
Nuclei
Cobbler - Authentication Bypass
nuclei·CVSS 9.8
CVE-2018-1000226 [CRITICAL] Cobbler - Authentication Bypass
Cobbler - Authentication Bypass
Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ and possibly even older versions, may be vulnerable to an authentication bypass vulnerability in XMLRPC API (/cobbler_api) that can result in privilege escalation, data manipulation or exfiltration, and LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.
Template:
id: CVE-2018-1000226
info:
name: Cobbler - Authentication Bypass
author: c-sh0
severity: critical
description: Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ and possibly even older versions, may be vulnerable to an authenticat
Bugzilla
CVE-2018-10931 cobbler: CobblerXMLRPCInterface exports all its methods over XMLRPC [epel-all]
bugzilla·2018-08-09·CVSS 9.8
CVE-2018-10931 [CRITICAL] CVE-2018-10931 cobbler: CobblerXMLRPCInterface exports all its methods over XMLRPC [epel-all]
CVE-2018-10931 cobbler: CobblerXMLRPCInterface exports all its methods over XMLRPC [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supp
Bugzilla
CVE-2018-10931 cobbler: CobblerXMLRPCInterface exports all its methods over XMLRPC [fedora-all]
bugzilla·2018-08-09·CVSS 9.8
CVE-2018-10931 [CRITICAL] CVE-2018-10931 cobbler: CobblerXMLRPCInterface exports all its methods over XMLRPC [fedora-all]
CVE-2018-10931 cobbler: CobblerXMLRPCInterface exports all its methods over XMLRPC [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
Bugzilla
CVE-2018-10931 cobbler: CobblerXMLRPCInterface exports all its methods over XMLRPC
bugzilla·2018-08-08·CVSS 9.8
CVE-2018-10931 [CRITICAL] CVE-2018-10931 cobbler: CobblerXMLRPCInterface exports all its methods over XMLRPC
CVE-2018-10931 cobbler: CobblerXMLRPCInterface exports all its methods over XMLRPC
Cobbler CobblerXMLRPCInterface object exposes all its functions over XMLRPC. This allows an attacker to use internal the internal functions of the class, such as creating a token, or upload files.
Upstream issue:
https://github.com/cobbler/cobbler/issues/1916
Upstream patch:
https://github.com/cobbler/cobbler/pull/1921
References:
https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/
Discussion:
Acknowledgments:
Name: Cedric Buissart (Red Hat)
---
Created attachment 1474535
fix
---
Created cobbler tracking bugs for this issue:
Affects: epel-all [bug 1614431]
Affects: fedora-all [bug 1614433]
---
This issue has been addressed in the following products:
Red Hat Sate
https://access.redhat.com/errata/RHSA-2018:2372https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10931https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5P5Q4ACIVZ5D4KSUDLGRTOKGGB4U42SD/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMWK5KCCZXOGOYNR2H6BWDSABTQ5NYJA/https://access.redhat.com/errata/RHSA-2018:2372https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10931https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5P5Q4ACIVZ5D4KSUDLGRTOKGGB4U42SD/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMWK5KCCZXOGOYNR2H6BWDSABTQ5NYJA/
2018-08-09
Published