Vulnerabilities > CVE-2012-2395 - Unspecified vulnerability in Michael Dehaan Cobbler 2.2.0
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN michael-dehaan
nessus
Summary
Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2012-1060.NASL description An updated cobbler package that fixes one security issue is now available for Red Hat Network Satellite 5.4. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Cobbler is a network install server. Cobbler supports PXE, virtualized installs, and re-installing existing Linux machines. A command injection flaw was found in Cobbler last seen 2020-05-15 modified 2013-01-24 plugin id 64047 published 2013-01-24 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64047 title RHEL 5 / 6 : cobbler (RHSA-2012:1060) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2012:1060. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(64047); script_version("1.17"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/14"); script_cve_id("CVE-2012-2395"); script_bugtraq_id(53666); script_xref(name:"RHSA", value:"2012:1060"); script_name(english:"RHEL 5 / 6 : cobbler (RHSA-2012:1060)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing a security update." ); script_set_attribute( attribute:"description", value: "An updated cobbler package that fixes one security issue is now available for Red Hat Network Satellite 5.4. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Cobbler is a network install server. Cobbler supports PXE, virtualized installs, and re-installing existing Linux machines. A command injection flaw was found in Cobbler's power management XML-RPC method. A remote, authenticated user who is permitted to perform Cobbler configuration changes via the Cobbler XML-RPC API, could use this flaw to execute arbitrary code with root privileges on the Red Hat Network Satellite server. (CVE-2012-2395) Note: Red Hat Network Satellite uses a special user account to configure Cobbler. By default, only this account is permitted to perform Cobbler configuration changes, and the credentials for the account are only accessible to the Satellite host's administrator. As such, this issue only affected environments where the administrator allowed other users to make Cobbler configuration changes. Users of Red Hat Network Satellite 5.4 are advised to upgrade to this updated cobbler package, which contains a backported patch to correct this issue. Red Hat Network Satellite must be restarted ('/usr/sbin/rhn-satellite restart') for this update to take effect." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2012:1060" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2012-2395" ); script_set_attribute( attribute:"solution", value:"Update the affected cobbler package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cobbler"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/06/16"); script_set_attribute(attribute:"patch_publication_date", value:"2012/07/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/24"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(5|6)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x / 6.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2012:1060"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL5", reference:"cobbler-2.0.7-14.6.el5sat")) flag++; if (rpm_check(release:"RHEL6", reference:"cobbler-2.0.7-14.6.el6sat")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cobbler"); } }
NASL family CGI abuses NASL id COBBLER_POWER_COMMAND_INJECTION.NASL description According to its self-reported version, the Cobbler install on the remote host is affected by a command injection vulnerability that can be exploited by sending a specially crafted username or password argument to the last seen 2020-06-01 modified 2020-06-02 plugin id 59402 published 2012-06-07 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/59402 title Cobbler xmlrpc API power_system Method Remote Shell Command Execution code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(59402); script_version("1.6"); script_cvs_date("Date: 2019/12/04"); script_cve_id("CVE-2012-2395"); script_bugtraq_id(53666); script_name(english:"Cobbler xmlrpc API power_system Method Remote Shell Command Execution"); script_summary(english:"Checks version of Cobbler"); script_set_attribute(attribute:"synopsis", value: "The remote service is affected by a command injection vulnerability."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the Cobbler install on the remote host is affected by a command injection vulnerability that can be exploited by sending a specially crafted username or password argument to the 'power_system' method. Successful exploitation requires an authenticated user and xmlrpc API access."); # https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0c3391f4"); script_set_attribute(attribute:"see_also", value:"https://github.com/cobbler/cobbler/issues/141"); script_set_attribute(attribute:"see_also", value:"https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999"); script_set_attribute(attribute:"solution", value: "Upgrade to the latest developmental version of Cobbler or apply the fixes manually."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-2395"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/04/11"); script_set_attribute(attribute:"patch_publication_date", value:"2012/05/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/06/07"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:michael_dehaan:cobbler"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cobbler_admin_detect.nasl", "cobbler_xmlrpc_detect.nasl"); script_require_keys("www/cobbler/xmlrpc", "Settings/ParanoidReport", "www/cobbler_web_admin"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("datetime.inc"); include("webapp_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_http_port(default:80); install = get_install_from_kb(appname:'cobbler_web_admin', port:port, exit_on_fail:TRUE); appname = "Cobbler"; kb_base = "www/" + port + "/cobbler/xmlrpc/"; version = get_kb_item_or_exit(kb_base + "Version"); url = build_url(port:port, qs:install['dir'] + '/'); if (version == 'unknown') audit(AUDIT_UNKNOWN_WEB_APP_VER, appname, url); gitdate = get_kb_item_or_exit(kb_base + "GitDate"); gitstamp = get_kb_item_or_exit(kb_base + "GitStamp"); item = eregmatch(pattern:"[A-Z][a-z]{2} ([A-Z][a-z]{2}) ([0-9]{1,2}) [0-9]{2}:[0-9]{2}:[0-9]{2} ([0-9]{4}) ", string:gitdate); if (isnull(item)) exit(1, "Failed to parse '"+kb_base+"GitDate' KB item."); month = int(month_num_by_name(base:1, item[1])); day = int(item[2]); year = int(item[3]); if ( # author says next release (2.2.3) will have fix ver_compare(ver:version, fix:'2.2.3',strict:FALSE) == -1 || (version =~ "^2\.3\." && # version of current developmental master branch with fix ( year < 2012 || (year == 2012 && month < 5) || (year == 2012 && month == 5 && day < 6) || (year == 2012 && month == 5 && day == 6 && gitstamp != "1003578" && gitstamp != "6d9167e") ) ) ) { if(report_verbosity > 0) { report = '\n Installed version : ' + version + ' (Git Date : ' + gitdate + ')' + '\n Fixed version : 2.3.1 (Git Date : Sun May 6 21:15:27 2012 -0700)\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, appname, port, version + ' (Git Date : ' + gitdate + ')');
NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-296.NASL description The xmlrpc interface of cobbler was prone to command injectoin last seen 2020-06-05 modified 2014-06-13 plugin id 74635 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74635 title openSUSE Security Update : cobbler (openSUSE-SU-2012:0655-1)
Redhat
rpms |
|
References
- https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999
- http://www.openwall.com/lists/oss-security/2012/05/23/4
- http://www.osvdb.org/82458
- http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00016.html
- http://www.securityfocus.com/bid/53666
- https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf
- https://github.com/cobbler/cobbler/issues/141
- http://www.openwall.com/lists/oss-security/2012/05/23/18
- http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00000.html