Improper Authorization in cobbler
Discription

### Impact

If PAM is correctly configured and a user account is set to expired, the expired user-account is still able to successfully log into Cobbler in all places (Web UI, CLI & XMLRPC-API).

The same applies to user accounts with passwords set to be expired.

### Patches

There is a patch for the latest Cobbler `3.3.2` available, however a backport will be done for `3.2.x`.

### Workarounds

– Delete expired accounts which are able to access Cobbler via PAM.
– Use `chage -l ` to lock the account. If the account has SSH-Keys attached then remove them completely.

### References

– Originally discovered by @ysf at https://www.huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d/

### How to test if my Cobbler instance is affected?

The following `pytest` test assumes that your PAM setup is correct. In case the added user is not able to login, this test does not make sense to be executed.

“`python
def test_pam_login_with_expired_user():
# Arrange
# create pam testuser
test_username = “expired_user”
test_password = “password”
test_api = CobblerAPI()
subprocess_1 = subprocess.run(
[“perl”, “-e”, “‘print crypt(“%s”, “%s”)'” % (test_username, test_password)],
stdout=subprocess.PIPE
)
subprocess.run([“useradd”, “-p”, subprocess_1.stdout, test_username])
# change user to be expired
subprocess.run([“chage”, “-E0”, test_username])

# Act
result = pam.authenticate(test_api, test_username, test_password)

# Assert – login should fail
assert not result
“`

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [the Cobbler repository](https://github.com/cobbler/cobbler/issues/new/choose)
* Ask in the [Gitter/Matrix Chat](https://gitter.im/cobbler/community)
* Email us at [cobbler.project@gmail.com](mailto:cobbler.project@gmail.com)Read More

References

https://github.com/cobbler/cobbler/security/advisories/GHSA-mcg6-h362-cmq5https://nvd.nist.gov/vuln/detail/CVE-2022-0860https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfahttps://github.com/advisories/GHSA-mcg6-h362-cmq5https://github.com/pypa/advisory-database/tree/main/vulns/cobbler/PYSEC-2022-177.yamlhttps://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1dhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM/https://github.com/cobbler/cobbler

6.4 Medium

CVSS2

  • Access Vector
  • Access Complexity
  • Authentication
  • Confidentiality Impact
  • Integrity Impact
  • Availability Impact
  • Network
  • Low
  • None
  • Partial
  • Partial
  • None

AV:N/AC:L/Au:N/C:P/I:P/A:N

9.1 Critical

CVSS3

  • Attack Vector
  • Attack Complexity
  • Privileges Required
  • User Interaction
  • Scope
  • Confidentiality Impact
  • Integrity Impact
  • Availability Impact
  • Network
  • Low
  • None
  • None
  • Unchanged
  • High
  • High
  • None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Back to Main
Subscribe for the latest news: