[nsp-sec] Arista EOS Remote Privilege Escalation Vulnerability
John Fraizer
john at op-sec.us
Mon Nov 9 19:58:47 EST 2015
*** Please do not disclose the source of this information.
We had a call with Arista today to find out precisely what the patch did
prior to deploying it to our fleet. They refused to disclose even though
we're under bilateral NDA with them.
Enquiring minds wanted to know though so... Patch decompiled...
The vulnerability is in their PAM subsystem. A properly formatted
authentication request can cause a buffer overflow and with the proper
payload in the overflow, gain root privileges up to and including root bash
shell – even bypassing any ACLs on the system.
ACLs on the borders (unless those borders are Arista) should limit the
external attack surface but, the internal attack surface is huge. This
vulnerability is present in every single device that Arista has ever
shipped.
Last word was that a very large social media site had deployed the patch to
75% of their Arista fleet with no ill-effects seen to date. The patch
activity was ongoing when I got off the phone with my buddy about 20mins
ago.
--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
On Thu, Nov 5, 2015 at 7:48 PM, Chris Morrow <morrowc at ops-netman.net> wrote:
> At Thu, 5 Nov 2015 16:46:06 -0800,
> Mark Boolootian wrote:
> >
> > ----------- nsp-security Confidential --------
> >
> > Thanks for sending that along. Can you tell me what
> > the status of this advisory is? I don't see it as publicly
> > visible from Arista as of yet.
>
> I think arista is/was shipping a swi file as an update you could
> install... I'm not sure the status of this alert though :(
>
More information about the nsp-security
mailing list