Cobbler restrict Kickstart Directory (Security Issue)

[dolevf]

hi,

As discussed in mailing lists, it makes sense restricting access to the kickstart directory in cobbler, so local file inclusions other than kickstart files are prohibited.

by specifiying 'Kickstart' value to /etc/passwd or any other crucial system file, local files are exposed by the cobbler web_ui and is a security vulnerability.

this issue has been opened here after discussion with Jorgen Maas.

Thanks,

Dolev Farhi, F5 Networks Inc

[jmaas]

Fixed in master, will be in 2.8 release

[dolevf]

Awesome!

Dolev Farhi
On May 23, 2014 11:54 PM, "Jörgen Maas" notifications@github.com wrote:

Fixed in master, will be in 2.8 release

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/939#issuecomment-44059229
.

[opoplawski]

We have CVE-2014-3225 bugs filed against the cobbler packages in Fedora/EPEL:

https://bugzilla.redhat.com/show_bug.cgi?id=1095846
https://bugzilla.redhat.com/show_bug.cgi?id=1095845

any chance this could be back-ported to at least 2.6?

[jmaas]

Yes, and in my book this warrants new releases in 2.4 and 2.6.
I will get the patches in tomorrow and do the releases.

[jmaas]

@opoplawski are you also maintaining cobbler for EPEL5 ???

[jmaas]

note to self: one of the patches from alanoe broke cobbler-web for snippets/kickstart edits
fix for that is somewhere in master.

[jmaas]

Merged into 2.4 and 2.6, will release tomorrow.

[jmaas]

2.4.6 and 2.6.3 have been released.

[opoplawski]

I appear to be the cobbler maintainer for all Fedora and Fedora EPEL releases.

[jmaas]

So, Jimi granted you all rights on the cobbler packages ??

On Sat, Jul 19, 2014 at 12:52 AM, Orion Poplawski notifications@github.com
wrote:

I appear to be the cobbler maintainer for all Fedora and Fedora EPEL
releases.

—
Reply to this email directly or view it on GitHub
#939 (comment).

Grtz,
Jörgen Maas

[opoplawski]

On 07/18/2014 11:12 PM, Jörgen Maas wrote:

So, Jimi granted you all rights on the cobbler packages ??

No, I've been using my provenpackager powers to maintain it.

Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 http://www.nwra.com

[dolevf]

Hi all
the problem is still reproducible in version 2.6.3..

[jmaas]

[root@cobbler cobbler]# cobbler system edit --name=test3 --kickstart=/var/lib/cobbler/kickstarts/default.ks
[root@cobbler cobbler]# cobbler system report --name=test3 | grep ^Kickstart
Kickstart                      : /var/lib/cobbler/kickstarts/default.ks
Kickstart Metadata             : {}
[root@cobbler cobbler]# cobbler system edit --name=test3 --kickstart=/etc/shadow
exception on server: 'Invalid kickstart template file location /etc/shadow, it is not inside /var/lib/cobbler/kickstarts/'
[root@cobbler cobbler]# cobbler system report --name=test3 | grep ^Kickstart
Kickstart                      : /var/lib/cobbler/kickstarts/default.ks
Kickstart Metadata             : {}
[root@cobbler cobbler]# 

[jmaas]

Again, backported to 2.4 and 2.6 branches.

[jmaas]

Will do another release soonish. If you could please test the code?

[dolevf]

will do

[timcoote]

The solution described here is just making it into the redhat world, so I'm only just encountering it. Can you point me at the original discussions as I cannot understand the vulnerability, not the threats from the descriptions in the issue thread.

At the same time, the solution appears to introduce an unnecessary privilege escalation, which is a security issue in itself - the kickstart files must now sit in root managed filespace of the cobbler host, leading to wider than necessary write access to those files.