2024-11-19
Platform: Cobbler
Version: 3.0.0 – 3.2.2 / 3.3.6 (all prior to 3.2.3 and 3.3.7)
Vulnerability: Improper Authentication
Severity: Critical
Date: September 25, 2024
What Undercode Says:
Cobbler, a Linux installation server, is vulnerable to an improper authentication flaw. This vulnerability allows anyone with network access to the server to gain full control by exploiting a flaw in the `utils.get_shared_secret()` function.
Breakdown:
The `utils.get_shared_secret()` function is supposed to return a shared secret for authentication.
Due to an error, the function always returns “-1”.
This bypasses authentication allowing anyone to connect to the Cobbler XML-RPC server using an empty username and “-1” as the password.
An attacker can then perform any actions on the server, including adding/removing systems or modifying configurations.
Impact:
An attacker can take complete control of a vulnerable Cobbler server.
Recommendation:
Upgrade Cobbler to version 3.2.3 or 3.3.7 (or later) which fixes the vulnerability.
Note: This is a critical vulnerability and should be addressed immediately.
References:
Reported By: Github.com
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.help