CVE-2018-1000226

Vulnerability

Cobbler versions 2.0.0+ (verified in 2.6.11+) suffer from an incorrect access control vulnerability in the XMLRPC API (/cobbler_api). The API exposes 195 methods, but many of them do not validate the security token passed by the client, including dangerous endpoints such as modify_setting and upload_log_data. This allows any network-accessible attacker to bypass authentication entirely [1][2][3].

Exploitation

An attacker with network connectivity to the Cobbler server can send crafted XMLRPC requests to the /cobbler_api endpoint. For example, by calling modify_setting with a bogus token, the attacker can enable anamon_enabled (which is normally disabled and guarded) and then use upload_log_data to write arbitrary files to the server. No valid credentials are needed [1][3].

Impact

Successful exploitation leads to privilege escalation, data manipulation or exfiltration, and LDAP credential harvesting. The upload_log_data endpoint can be abused to write files, potentially leading to remote code execution if an attacker uploads a malicious script. The compromise gives the attacker full control over the Cobbler configuration and managed systems [1][2][3].

Mitigation

As of the publication date (2018-08-20), no official patch had been released. The primary workaround is to restrict network access to the /cobbler_api endpoint using a firewall or other network-level controls. Users should monitor the Cobbler project for a fix and upgrade when available [1][3][4].