First published: Fri Mar 11 2022(Updated: )
### Impact If PAM is correctly configured and a user account is set to expired, the expired user-account is still able to successfully log into Cobbler in all places (Web UI, CLI & XMLRPC-API). The same applies to user accounts with passwords set to be expired. ### Patches There is a patch for the latest Cobbler `3.3.2` available, however a backport will be done for `3.2.x`. ### Workarounds - Delete expired accounts which are able to access Cobbler via PAM. - Use `chage -l <username>` to lock the account. If the account has SSH-Keys attached then remove them completely. ### References - Originally discovered by @ysf at https://www.huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d/ ### How to test if my Cobbler instance is affected? The following `pytest` test assumes that your PAM setup is correct. In case the added user is not able to login, this test does not make sense to be executed. ```python def test_pam_login_with_expired_user(): # Arrange # create pam testuser test_username = "expired_user" test_password = "password" test_api = CobblerAPI() subprocess_1 = subprocess.run( ["perl", "-e", "'print crypt(\"%s\", \"%s\")'" % (test_username, test_password)], stdout=subprocess.PIPE ) subprocess.run(["useradd", "-p", subprocess_1.stdout, test_username]) # change user to be expired subprocess.run(["chage", "-E0", test_username]) # Act result = pam.authenticate(test_api, test_username, test_password) # Assert - login should fail assert not result ``` ### For more information If you have any questions or comments about this advisory: * Open an issue in [the Cobbler repository](https://github.com/cobbler/cobbler/issues/new/choose) * Ask in the [Gitter/Matrix Chat](https://gitter.im/cobbler/community) * Email us at [cobbler.project@gmail.com](mailto:cobbler.project@gmail.com)
Credit: security@huntr.dev security@huntr.dev
Affected Software | Affected Version | How to fix |
---|---|---|
Cobbler Project Cobbler | <3.3.2 | |
Fedoraproject Fedora | =34 | |
Fedoraproject Fedora | =35 | |
Fedoraproject Fedora | =36 | |
pip/cobbler | <3.3.2 | 3.3.2 |
<3.3.2 | ||
=34 | ||
=35 | ||
=36 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2022-0860.
CVE-2022-0860 has a severity of critical.
Cobbler versions prior to 3.3.2 are affected by CVE-2022-0860.
Yes, Fedora versions 34, 35, and 36 are affected by CVE-2022-0860.
To fix CVE-2022-0860, update Cobbler to version 3.3.2 or later.