Cobbler DC-2024-47533

2024-11-19

Platform: Cobbler

Version: 3.0.0 – 3.2.2 / 3.3.6 (all prior to 3.2.3 and 3.3.7)

Vulnerability: Improper Authentication

Severity: Critical

Date: September 25, 2024

What Undercode Says:

Cobbler, a Linux installation server, is vulnerable to an improper authentication flaw. This vulnerability allows anyone with network access to the server to gain full control by exploiting a flaw in the `utils.get_shared_secret()` function.

Breakdown:

The `utils.get_shared_secret()` function is supposed to return a shared secret for authentication.
Due to an error, the function always returns “-1”.
This bypasses authentication allowing anyone to connect to the Cobbler XML-RPC server using an empty username and “-1” as the password.
An attacker can then perform any actions on the server, including adding/removing systems or modifying configurations.

Impact:

An attacker can take complete control of a vulnerable Cobbler server.

Recommendation:

Upgrade Cobbler to version 3.2.3 or 3.3.7 (or later) which fixes the vulnerability.

Note: This is a critical vulnerability and should be addressed immediately.

References:

Reported By: Github.com
Undercode AI: https://ai.undercodetesting.com

Image Source:

OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.helpFeatured Image

Scroll to Top