cbcvebase.
CVE-2021-40324
published 2021-10-04

CVE-2021-40324: Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.

PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
68.64%
99.3th percentile
Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.

Affected

4 ranges
VendorProductVersion rangeFixed in
cobbler_projectcobbler<= 3.3.0
cobbler_projectcobbler>= 0 < 3.3.03.3.0
cobbler_projectcobbler>= 0 < d8f60bbf14a838c8c8a1dba98086b223e35fe70ad8f60bbf14a838c8c8a1dba98086b223e35fe70a
cobbler_projectcobbler>= 0 < 2.4.1-0ubuntu2+esm12.4.1-0ubuntu2+esm1

Detection & IOCsextracted from sources · hover to see the quote

url/cobbler_api
bytes
|3c|methodName|3e|upload|5f|log|5f|data|3c 2f|methodName|3e|
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Clobber API XMLRPC Arbitrary File Upload (CVE-2021-40324)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cobbler_api"; fast_pattern; startswith; http.request_body; content:"|3c|methodName|3e|upload|5f|log|5f|data|3c 2f|methodName|3e|"; reference:url,github.com/cobbler/cobbler/issues/2795; reference:cve,2021-40324; classtype:web-application-attack; sid:2056381; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_10_01, cve CVE_2021_40324, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_10_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit traffic is an HTTP POST request to the /cobbler_api endpoint containing an XMLRPC body invoking the upload_log_data method. Detect by matching POST method + URI /cobbler_api + request body containing the XML-encoded methodName 'upload_log_data'.
  • The vulnerability is rooted in the anamon_enabled setting in cobblerd. If anamon support is enabled, the upload_log_data XMLRPC function accepts unsanitized user-supplied parameters allowing arbitrary file writes.
  • The Emerging Threats rule SID 2056381 (rev:1) covers this exploit with high confidence for both perimeter and internal deployments, including TLS-decrypted traffic (SSLDecrypt deployment tag).
  • ·The anamon_enabled setting must be enabled for the vulnerability to be exploitable. Instances with anamon support disabled are not affected by this arbitrary file write path.
  • ·Red Hat Enterprise Linux 8 (rhn-tools:1.0/cobbler package) is listed as Not Affected, so detection focus should be on standalone Cobbler deployments prior to version 3.3.0.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv4.0MEDIUM
vendor_redhat7.5HIGH
vendor_ubuntu4.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.