8.2

CVSS Score

3.0

Basic Information

CVE ID

CVE-2022-0860

GHSA ID

GHSA-mcg6-h362-cmq5

EPSS Score

0.69178%

CWE

CWE-285

Published

3/11/2022

Updated

11/18/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-0860

CVE-2022-0860: Improper Authorization in cobbler

Impact

If PAM is correctly configured and a user account is set to expired, the expired user-account is still able to successfully log into Cobbler in all places (Web UI, CLI & XMLRPC-API).

The same applies to user accounts with passwords set to be expired.

Patches

There is a patch for the latest Cobbler 3.3.2 available, however a backport will be done for 3.2.x.

Workarounds

Delete expired accounts which are able to access Cobbler via PAM.
Use chage -l <username> to lock the account. If the account has SSH-Keys attached then remove them completely.

References

Originally discovered by @ysf at https://www.huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d/

How to test if my Cobbler instance is affected?

The following pytest test assumes that your PAM setup is correct. In case the added user is not able to login, this test does not make sense to be executed.

def test_pam_login_with_expired_user():
    # Arrange
    # create pam testuser
    test_username = "expired_user"
    test_password = "password"
    test_api = CobblerAPI()
    subprocess_1 = subprocess.run(
        ["perl", "-e", "'print crypt(\"%s\", \"%s\")'" % (test_username, test_password)],
        stdout=subprocess.PIPE
    )
    subprocess.run(["useradd", "-p", subprocess_1.stdout, test_username])
    # change user to be expired
    subprocess.run(["chage", "-E0", test_username])

    # Act
    result = pam.authenticate(test_api, test_username, test_password)

    # Assert - login should fail
    assert not result

For more information

If you have any questions or comments about this advisory:

Open an issue in the Cobbler repository
Ask in the Gitter/Matrix Chat
Email us at cobbler.project@gmail.com

(GitHub Advisory)

8.2

CVSS Score

3.0

Basic Information

CVE ID

CVE-2022-0860

GHSA ID

GHSA-mcg6-h362-cmq5

EPSS Score

0.69178%

CWE

CWE-285

Published

3/11/2022

Updated

11/18/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
cobbler	pip	< 3.3.2	3.3.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing account status checks after authentication. The pre-patch code in pam.py's authenticate() function only called PAM_AUTHENTICATE to verify credentials, but didn't call PAM_ACCT_MGMT to check account expiration/lock status. The commit diff shows the vulnerability was fixed by adding PAM_ACCT_MGMT call after successful authentication. The test case security_test.py demonstrates this by creating an expired user that should fail authentication but previously succeeded.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t I* P*M is *orr**tly *on*i*ur** *n* * us*r ***ount is s*t to *xpir**, t** *xpir** us*r-***ount is still **l* to su***ss*ully lo* into *o**l*r in *ll pl***s (W** UI, *LI & XMLRP*-*PI). T** s*m* *ppli*s to us*r ***ounts wit* p*sswor*s s*t t

Reasoning

T** vuln*r**ility st*ms *rom missin* ***ount st*tus ****ks **t*r *ut**nti**tion. T** pr*-p*t** *o** in p*m.py's *ut**nti**t*() *un*tion only **ll** P*M_*UT**NTI**T* to v*ri*y *r***nti*ls, *ut *i*n't **ll P*M_***T_M*MT to ****k ***ount *xpir*tion/lo*k

8.2

Basic Information

Concerned about an active attack path?

CVE-2022-0860: Improper Authorization in cobbler

Impact

Patches

Workarounds

References

How to test if my Cobbler instance is affected?

For more information

8.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI