CVE-2012-2395
Publication date 16 June 2012
Last updated 24 July 2024
Ubuntu priority
Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| cobbler | 18.04 LTS bionic | Not in release |
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
| maas-provision | 18.04 LTS bionic | Not in release |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
Notes
jdstrand
maas-provision in 12.04 is a code copy of cobbler, but with reduced features and usage. Only the portions of maas-provision specifically used by maas will recieve official support maas in 12.10 as of 0.1+bzr971+dfsg-0ubuntu1 no longer depends on maas-provision and maas-provision has moved to universe. 12.04 should also receive this update for maas, so deferring for now. maas-provision removed from 12.10 before release power functionality is blocked by the AppArmor profile in maas-provision on 12.04 LTS, so this vulnerability is mitigated. This was tested by modifying /usr/share/pyshared/cobbler/utils.py to remove the check for invalid characters, then getting a system name with 'sudo cobbler list' then doing something like: $ sudo cobbler system edit --name node-457f02f2-3fe6-11e2-a048-525400209fb8 \ --power-type ether_wake \ --power-user Admin --power-pass PASSWORD \ --power-address 'AA:BB:CC:DD:EE:FF" ; /usr/bin/touch /gotcha ; "' $ sudo cobbler system poweron --name=node-457f02f2-3fe6-11e2-a048-525400209fb8