Create Case

VN 2017-003, Local Access Control (Multiple CVEs)

  • Article Type:
  • Vulnerability Notice
  • Article Number:
  • 000017719
  • Last Modified:
  • 7/26/2018

Vulnerability Summary

 
Four specific vulnerabilities have been identified in EXOS, which can allow an authenticated user with admin privileges to access the root shell and/or underlying filesystem.
Thanks to the research team at IDW Security for identifying and reporting these issues to Extreme Networks.
 
  Impact
CVE #Vulnerability TypeAttack
Type
Information
Disclosure
Denial of
Service
Code
Execution
Escalation
of Privileges
Session
Hijacking
CVE-2017-14327Incorrect Access ControlLocalX    
CVE-2017-14329Incorrect Access ControlLocalX XX 
CVE-2017-14330Incorrect Access ControlLocalX XX 
CVE-2017-14331Escape From Restricted ShellLocalX XX 

Products Potentially Affected

 
  • EXOS versions 16.x / 21.x / 22.x

Impact Details

 
CVE-2017-14327
Impact: Information disclosure
Attack Vector: local
Affected Platforms: EXOS 16.x / 21.x / 22.x
CVS base score: 4.4 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Description: An authenticated user with admin privileges can get read access to any file on the filesystem.
Detail: By obtaining an interactive shell with admin privileges as defined in CVE-2017-14331 (below), it is possible to access system files owned by root and without world read-access.
 
CVE-2017-14329
Impact: Privilege Escalation (root interactive shell)
Attack Vector: local
Affected Platforms: EXOS 16.x / 21.x / 22.x
CVS base score: 6.7 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Description: An authenticated user with admin privileges can get an interactive root shell on the platform.
Detail: By compounding on CVE-2017-1427 and CVE-2017-14331, one can escalate to root by spawning a new exsh shell in debug mode and invoking an interactive shell with root privileges.

CVE-2017-14330
Impact: Privilege Escalation (root interactive shell)
Attack Vector: local
Affected Platforms: EXOS 16.x / 21.x / 22.x
CVS base score: 6.7 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Description: An authenticated user with admin privileges can get an interactive root shell on the platform.
Detail: It is possible to get an interactive root shell on the platform by creating a process that will run with elevated privileges.
 
CVE-2017-14331
Impact: Escape from exsh restricted shell
Attack Vector: local
Affected Platforms: EXOS 16.x / 21.x / 22.x
CVS base score: 6.7 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Description: An authenticated user with admin privileges can spawn an interactive shell on the system.
Detail: A user with admin privileges on the switch can invoke an interactive shell with access to the underlying operating system.

Repair Recommendations

 
Each of the CVEs described in this Vulnerability Notice rely upon the ability of an authenticated user with admin privileges to execute scripts to initiate the specific actions defined. As such, mitigation of these issues will be achieved by disallowing scripting when the OS is used in FIPS mode in an upcoming release.

The following EXOS releases are expected to include this change to FIPS mode behavior:
  • EXOS 16.2.4.5 (Available now)
  • EXOS 21.1.4.4-patch1-3 (Available now)
  • EXOS 22.3.1.4-patch1-4 (Available now)
  • EXOS 22.4.1 (Available now)
The fix is documented under CR xos0069140.

Legal Notice

 
This advisory notice is provided on an “as is” basis and Extreme Networks makes no representations or warranties of any kind, expressly disclaiming the warranties of merchantability or fitness for a particular use. Use of the information provided herein or materials linked from this advisory notice is at your own risk. Extreme Networks reserves the right to change or update this document at any time, and expects to update this document as new information becomes available. The information provided herein is applicable to current Extreme Networks products identified herein and is not intended to be any representation of future functionality or compatibility with any third-party technologies referenced herein. This notice shall not change any contract or agreement that you have entered into with Extreme Networks.

Version Number

 

Feedback