Site icon API Security Blog

Improper Authorization in cobbler

### Impact

If PAM is correctly configured and a user account is set to expired, the expired user-account is still able to successfully log into Cobbler in all places (Web UI, CLI & XMLRPC-API).

The same applies to user accounts with passwords set to be expired.

### Patches

There is a patch for the latest Cobbler `3.3.2` available, however a backport will be done for `3.2.x`.

### Workarounds

– Delete expired accounts which are able to access Cobbler via PAM.
– Use `chage -l ` to lock the account. If the account has SSH-Keys attached then remove them completely.

### References

– Originally discovered by @ysf at https://www.huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d/

### How to test if my Cobbler instance is affected?

The following `pytest` test assumes that your PAM setup is correct. In case the added user is not able to login, this test does not make sense to be executed.

“`python
def test_pam_login_with_expired_user():
# Arrange
# create pam testuser
test_username = “expired_user”
test_password = “password”
test_api = CobblerAPI()
subprocess_1 = subprocess.run(
[“perl”, “-e”, “‘print crypt(“%s”, “%s”)'” % (test_username, test_password)],
stdout=subprocess.PIPE
)
subprocess.run([“useradd”, “-p”, subprocess_1.stdout, test_username])
# change user to be expired
subprocess.run([“chage”, “-E0”, test_username])

# Act
result = pam.authenticate(test_api, test_username, test_password)

# Assert – login should fail
assert not result
“`

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [the Cobbler repository](https://github.com/cobbler/cobbler/issues/new/choose)
* Ask in the [Gitter/Matrix Chat](https://gitter.im/cobbler/community)
* Email us at [cobbler.project@gmail.com](mailto:cobbler.project@gmail.com)Read More

Exit mobile version