Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Cobbler restrict Kickstart Directory (Security Issue) #939

Closed
dolevf opened this Issue · 17 comments

4 participants

@dolevf

hi,

As discussed in mailing lists, it makes sense restricting access to the kickstart directory in cobbler, so local file inclusions other than kickstart files are prohibited.

by specifiying 'Kickstart' value to /etc/passwd or any other crucial system file, local files are exposed by the cobbler web_ui and is a security vulnerability.

this issue has been opened here after discussion with Jorgen Maas.

Thanks,

Dolev Farhi, F5 Networks Inc

@jmaas jmaas added the security label
@jmaas jmaas added this to the 2.8.0 milestone
@jmaas jmaas self-assigned this
@jmaas
Owner

Fixed in master, will be in 2.8 release

@jmaas jmaas closed this
@dolevf
@opoplawski
Collaborator

We have CVE-2014-3225 bugs filed against the cobbler packages in Fedora/EPEL:

https://bugzilla.redhat.com/show_bug.cgi?id=1095846
https://bugzilla.redhat.com/show_bug.cgi?id=1095845

any chance this could be back-ported to at least 2.6?

@jmaas jmaas reopened this
@jmaas
Owner

Yes, and in my book this warrants new releases in 2.4 and 2.6.
I will get the patches in tomorrow and do the releases.

@jmaas
Owner

@opoplawski are you also maintaining cobbler for EPEL5 ???

@jmaas
Owner

note to self: one of the patches from alanoe broke cobbler-web for snippets/kickstart edits
fix for that is somewhere in master.

@jmaas jmaas added the priority label
@jmaas
Owner

Merged into 2.4 and 2.6, will release tomorrow.

@jmaas
Owner

2.4.6 and 2.6.3 have been released.

@jmaas jmaas closed this
@opoplawski
Collaborator

I appear to be the cobbler maintainer for all Fedora and Fedora EPEL releases.

@jmaas
Owner
@opoplawski
Collaborator
@dolevf

Hi all
the problem is still reproducible in version 2.6.3..

@jmaas jmaas reopened this
@jmaas jmaas closed this in 3881394
@jmaas jmaas reopened this
@jmaas
Owner
[root@cobbler cobbler]# cobbler system edit --name=test3 --kickstart=/var/lib/cobbler/kickstarts/default.ks
[root@cobbler cobbler]# cobbler system report --name=test3 | grep ^Kickstart
Kickstart                      : /var/lib/cobbler/kickstarts/default.ks
Kickstart Metadata             : {}
[root@cobbler cobbler]# cobbler system edit --name=test3 --kickstart=/etc/shadow
exception on server: 'Invalid kickstart template file location /etc/shadow, it is not inside /var/lib/cobbler/kickstarts/'
[root@cobbler cobbler]# cobbler system report --name=test3 | grep ^Kickstart
Kickstart                      : /var/lib/cobbler/kickstarts/default.ks
Kickstart Metadata             : {}
[root@cobbler cobbler]# 
@jmaas
Owner

Again, backported to 2.4 and 2.6 branches.

@jmaas
Owner

Will do another release soonish. If you could please test the code?

@jmaas jmaas closed this
@dolevf

will do

@timcoote

The solution described here is just making it into the redhat world, so I'm only just encountering it. Can you point me at the original discussions as I cannot understand the vulnerability, not the threats from the descriptions in the issue thread.

At the same time, the solution appears to introduce an unnecessary privilege escalation, which is a security issue in itself - the kickstart files must now sit in root managed filespace of the cobbler host, leading to wider than necessary write access to those files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.