[nsp-sec] Arista EOS Remote Privilege Escalation Vulnerability
John Fraizer
john at op-sec.us
Mon Nov 9 20:04:20 EST 2015
Anyone who needs the SWIX file for the patch, let me know. Its obvious that
the URL they provided to my organization is watermarked but, the MD5 of the
downloaded SWIX matches that of what another organization received via
their unique DL URL.
--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
On Mon, Nov 9, 2015 at 7:58 PM, John Fraizer <john at op-sec.us> wrote:
> *** Please do not disclose the source of this information.
>
> We had a call with Arista today to find out precisely what the patch did
> prior to deploying it to our fleet. They refused to disclose even though
> we're under bilateral NDA with them.
>
> Enquiring minds wanted to know though so... Patch decompiled...
>
> The vulnerability is in their PAM subsystem. A properly formatted
> authentication request can cause a buffer overflow and with the proper
> payload in the overflow, gain root privileges up to and including root bash
> shell – even bypassing any ACLs on the system.
>
> ACLs on the borders (unless those borders are Arista) should limit the
> external attack surface but, the internal attack surface is huge. This
> vulnerability is present in every single device that Arista has ever
> shipped.
>
> Last word was that a very large social media site had deployed the patch
> to 75% of their Arista fleet with no ill-effects seen to date. The patch
> activity was ongoing when I got off the phone with my buddy about 20mins
> ago.
>
> --
> John Fraizer
> LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
>
>
>
> On Thu, Nov 5, 2015 at 7:48 PM, Chris Morrow <morrowc at ops-netman.net>
> wrote:
>
>> At Thu, 5 Nov 2015 16:46:06 -0800,
>> Mark Boolootian wrote:
>> >
>> > ----------- nsp-security Confidential --------
>> >
>> > Thanks for sending that along. Can you tell me what
>> > the status of this advisory is? I don't see it as publicly
>> > visible from Arista as of yet.
>>
>> I think arista is/was shipping a swi file as an update you could
>> install... I'm not sure the status of this alert though :(
>>
>
>
More information about the nsp-security
mailing list