Vulnerabilities > CVE-2012-2395 - Unspecified vulnerability in Michael Dehaan Cobbler 2.2.0

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2012:1060. The text 
# itself is copyright (C) Red Hat, Inc.
#

include("compat.inc");

if (description)
{
  script_id(64047);
  script_version("1.17");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/14");

  script_cve_id("CVE-2012-2395");
  script_bugtraq_id(53666);
  script_xref(name:"RHSA", value:"2012:1060");

  script_name(english:"RHEL 5 / 6 : cobbler (RHSA-2012:1060)");
  script_summary(english:"Checks the rpm output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Red Hat host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"An updated cobbler package that fixes one security issue is now
available for Red Hat Network Satellite 5.4.

The Red Hat Security Response Team has rated this update as having
moderate security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from
the CVE link in the References section.

Cobbler is a network install server. Cobbler supports PXE, virtualized
installs, and re-installing existing Linux machines.

A command injection flaw was found in Cobbler's power management
XML-RPC method. A remote, authenticated user who is permitted to
perform Cobbler configuration changes via the Cobbler XML-RPC API,
could use this flaw to execute arbitrary code with root privileges on
the Red Hat Network Satellite server. (CVE-2012-2395)

Note: Red Hat Network Satellite uses a special user account to
configure Cobbler. By default, only this account is permitted to
perform Cobbler configuration changes, and the credentials for the
account are only accessible to the Satellite host's administrator. As
such, this issue only affected environments where the administrator
allowed other users to make Cobbler configuration changes.

Users of Red Hat Network Satellite 5.4 are advised to upgrade to this
updated cobbler package, which contains a backported patch to correct
this issue. Red Hat Network Satellite must be restarted
('/usr/sbin/rhn-satellite restart') for this update to take effect."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/errata/RHSA-2012:1060"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2012-2395"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected cobbler package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cobbler");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/06/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/07/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/24");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Red Hat Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
os_ver = os_ver[1];
if (! preg(pattern:"^(5|6)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x / 6.x", "Red Hat " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);

yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
if (!empty_or_null(yum_updateinfo)) 
{
  rhsa = "RHSA-2012:1060";
  yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
  if (!empty_or_null(yum_report))
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : yum_report 
    );
    exit(0);
  }
  else
  {
    audit_message = "affected by Red Hat security advisory " + rhsa;
    audit(AUDIT_OS_NOT, audit_message);
  }
}
else
{
  flag = 0;
  if (rpm_check(release:"RHEL5", reference:"cobbler-2.0.7-14.6.el5sat")) flag++;

  if (rpm_check(release:"RHEL6", reference:"cobbler-2.0.7-14.6.el6sat")) flag++;

  if (flag)
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get() + redhat_report_package_caveat()
    );
    exit(0);
  }
  else
  {
    tested = pkg_tests_get();
    if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
    else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cobbler");
  }
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(59402);
  script_version("1.6");
  script_cvs_date("Date: 2019/12/04");

  script_cve_id("CVE-2012-2395");
  script_bugtraq_id(53666);

  script_name(english:"Cobbler xmlrpc API power_system Method Remote Shell Command Execution");
  script_summary(english:"Checks version of Cobbler");

  script_set_attribute(attribute:"synopsis", value:
"The remote service is affected by a command injection vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Cobbler install on the
remote host is affected by a command injection vulnerability that can
be exploited by sending a specially crafted username or password
argument to the 'power_system' method. 

Successful exploitation requires an authenticated user and xmlrpc API
access.");
  # https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0c3391f4");
  script_set_attribute(attribute:"see_also", value:"https://github.com/cobbler/cobbler/issues/141");
  script_set_attribute(attribute:"see_also", value:"https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the latest developmental version of Cobbler or apply the
fixes manually.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-2395");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/04/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/05/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/06/07");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:michael_dehaan:cobbler");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cobbler_admin_detect.nasl", "cobbler_xmlrpc_detect.nasl");
  script_require_keys("www/cobbler/xmlrpc", "Settings/ParanoidReport", "www/cobbler_web_admin");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("datetime.inc");
include("webapp_func.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = get_http_port(default:80);

install = get_install_from_kb(appname:'cobbler_web_admin', port:port, exit_on_fail:TRUE);

appname = "Cobbler";
kb_base = "www/" + port + "/cobbler/xmlrpc/";
	
version = get_kb_item_or_exit(kb_base + "Version");
url = build_url(port:port, qs:install['dir'] + '/');

if (version == 'unknown') audit(AUDIT_UNKNOWN_WEB_APP_VER, appname, url);

gitdate = get_kb_item_or_exit(kb_base + "GitDate");
gitstamp = get_kb_item_or_exit(kb_base + "GitStamp");

item = eregmatch(pattern:"[A-Z][a-z]{2} ([A-Z][a-z]{2}) ([0-9]{1,2}) [0-9]{2}:[0-9]{2}:[0-9]{2} ([0-9]{4}) ", string:gitdate);
if (isnull(item)) exit(1, "Failed to parse '"+kb_base+"GitDate' KB item.");

month = int(month_num_by_name(base:1, item[1]));
day = int(item[2]);
year = int(item[3]);

if (
  # author says next release (2.2.3) will have fix
  ver_compare(ver:version, fix:'2.2.3',strict:FALSE) == -1 ||
  (version =~ "^2\.3\." && # version of current developmental master branch with fix 
    ( 
     year < 2012 ||
    (year == 2012 && month < 5) ||
    (year == 2012 && month == 5 && day < 6) ||
    (year == 2012 && month == 5 && day == 6 && 
     gitstamp != "1003578" && gitstamp != "6d9167e")
    )
  )
)
{
  if(report_verbosity > 0)
  {
    report = '\n  Installed version : ' + version + ' (Git Date : ' + gitdate + ')' + 
             '\n  Fixed version     : 2.3.1 (Git Date : Sun May 6 21:15:27 2012 -0700)\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
  exit(0);
}
else audit(AUDIT_LISTEN_NOT_VULN, appname, port, version + ' (Git Date : ' + gitdate + ')');