Improper Authorization in cobbler/cobbler
Reported on
Mar 2nd 2022
Description
When configuring cobbler-web to authentificate via PAM. The authorization of a account validity is missing. Therefore expired accounts can still login.
Proof of Concept
Enable authn_pam in the modules.conf
Create a testuser to login
$ useradd expired_user
$ passwd expired_user
# 12345
$ chage -E0 expired_user
Login via cobbler-web and see that it works although you don't have any privileges anymore.
Impact
Since disabling an account still would allow login via ssh-keys or alike, it is common usage to expire an PAM account. Therefore the PAM library demands to check the handle with pam_acct_mgmt() after successful pam_authenticate()
After successfull authentication, the authorization of the user is not checked via pam_acct_mgmt(). This allows access to accounts that have been expired or have expired passwords. Both should be declined access by PAM convention. Depending on how cobbler is configured this can become pretty severe. You don't revoke privileges for an account without a reason.
References
I'm open for adjustments on the CVE scoring. I think it's pretty difficult to estimate. I did in no way want to be rude or demanding.
Hi I acknowledge that I have read the bug report. I will try to confirm the bug until end of Monday (Berlin time).
If this bug is valid, not only cobbler-web is affected because the authentication is also used for the CLI and XMLRPC-API.
Sorry I didn't sign in before. I am the upstream maintainer.
The code we have is based upon a very old version of https://github.com/FirefighterBlu3/python-pam
I will try to check if a possible fix is to upgrade to a version of this library.
I'll check and will think about adding a report for python-pam also. Thank you
The current FirefighterBlu3/python-pam version has pam_acct_mgmt() in its build:
FirefighterBlu3/python-pam/pam/internals.py
So this means switching to this library would solve the issue in your eyes?
Yes, but my suggestion is to apply my patch/fix. Its‘s not a big change and would not need retesting as much as a new library would.
I do not see a patch on this webpage. Did I overlook something? Also I had internal plans to switch to this library as currently there is no PAM knowledge inside the Cobbler maintainers group present.
I fully agree that there are more risks involved, however I would love to still switch for reasons stated above. I hope that a dedicated library is better tested and maintained then our very old copy & pasted code from the original code (https://pypi.org/project/pam/).
@admin can you help wo. The fix is not visible?
It‘s over here https://github.com/ysf/cobbler in the fix-pam branch. I completely Unterstand your decision tho.
Okay I had a look. That fix is better then my idea indeed. Sadly you messed with the line endings which means the whole file is marked as a diff but I can fix that on my end.
Due to the fact that you pushed this to a public fork I would handle this as a public vulnerability now. Everyone can find and see your commit.
I will thus accept your report and we can go ahead and open the PR on upstream already. An embargo would not make sense because the commit is already public which describes the fix.
I had to publish ist this way because huntr.dev asks for ist that way. I agree that this is stupid.
I am writing a pytest case which automatically checks that this is not happening. From your side I consider everything done, I will handle it from here on.
Hey all 👋
You should be able to see the submitted patch as part of the conversation feed. It is the second message in this chat thread.
You can directly click the hyperlink in that message to see the fix.
When you are ready (@maintainer) to confirm the fix against the report using the action button on the right side of the page, you will have an option to select @ysf as the fixer.
Let me know if you have any more questions, and happy to support you.
I have also created this issue on our roadmap to address the creation of fixes publicly:
Okay I see now where the patch is but since this is not a comment but an activity message I did not identify this as accessible to me and thus skipped it. Thanks for the explanation!
I have also created an issue on our public repository to address this as well! ^
Since I can only confirm the fix once it is published in the repo I have created https://github.com/cobbler/cobbler/security/advisories/GHSA-mcg6-h362-cmq5 to coordinate the efforts until that is the case. The reporter has been added to the GH Security Vulnerability Draft linked above.
I believe I have problems with my environment. I asked for help from a colleague who is firm with this matter.