[nsp-sec] Arista EOS Remote Privilege Escalation Vulnerability

John Fraizer john at op-sec.us
Mon Nov 9 20:09:42 EST 2015 

 This is a hot fix for Arista Security Advisory 0015.^@V*<89><94>
bs212.sjc.aristanetworks.com^@^@^@^@^@^@^_^Hbuildhash=2027c3c58bbfe3931f569b0b94fff85a^@Arista
Networks^@dev/Arista Networks^@http://www.AristaNetworks.com^@linux^@i686^@

pamfile="/etc/pam.d/system-auth-ac"

remotefile="/etc/pam.d/remote"

nssfile="/etc/nsswitch.conf"


# if the .Eos file has been copied, we update the real file, or we update

# the .Eos file.

if grep -q pam_aaa.so $pamfile; then

   extname=""

else

   extname=".Eos"

fi


pamfile="${pamfile}${extname}"

remotefile="${remotefile}${extname}"

nssfile="${nssfile}${extname}"


# Add ourselves to pam and nsswitch.conf

sed -i 's/files aaa/files sa15 \[NOTFOUND=return\] aaa/g' $nssfile


if ! grep -q pam_sa15.so $pamfile; then

   sed -i '/auth \+required \+pam_env.so/a auth        \[user_unknown=2
default=ignore\] pam_sa15.so' $pamfile

   sed -i '/account \+\w\+ \+pam_aaa.so/i account     requisite
pam_sa15.so' $pamfile

fi


if [ -f $remotefile ]; then

   sed -i 's/\bsystem-auth-remote\b/system-auth/g' $remotefile

fi


# restart uwsgi as it may have cached PAM config

if [ -f /usr/bin/Capi ]; then

   sed -i 's/#!\/usr\/bin\//#!                  \/usr\/bin\//' /usr/bin/Capi

   killall -q Capi || true

else

   killall -q uwsgi || true

fi^@# If this package is being uninstalled (rather than being upgraded),

# remove from nsswitch.conf and pam

if [ "$1" = 0 ]; then # Uninstall.


   pamfile="/etc/pam.d/system-auth-ac"

   remotefile="/etc/pam.d/remote"

   nssfile="/etc/nsswitch.conf"


   # if the .Eos file has been copied, we update the real file, or we update

   # the .Eos file.

   if grep -q pam_aaa.so $pamfile; then

      extname=""

   else

      extname=".Eos"

   fi


   pamfile="${pamfile}${extname}"

   remotefile="${remotefile}${extname}"

   nssfile="${nssfile}${extname}"


   sed -i 's/sa15 \[NOTFOUND=return\] //g' $nssfile

   grep -v pam_sa15.so $pamfile > $pamfile.tmp && mv $pamfile.tmp $pamfile
&& chmod 644 $pamfile

   if [ -f $remotefile ]; then

      sed -i 's/\bsystem-auth\b/system-auth-remote/g' $remotefile

   fi


   # restart uwsgi as it may have cached PAM config

   if [ -f /usr/bin/Capi ]; then

      sed -i 's/#! \+\/usr\/bin\//#!\/usr\/bin\//' /usr/bin/Capi

      killall -q Capi || true

   else

      killall -q uwsgi || true

   fi



--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/



On Mon, Nov 9, 2015 at 8:04 PM, John Fraizer <john at op-sec.us> wrote:

> Anyone who needs the SWIX file for the patch, let me know. Its obvious
> that the URL they provided to my organization is watermarked but, the MD5
> of the downloaded SWIX matches that of what another organization received
> via their unique DL URL.
>
> --
> John Fraizer
> LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
>
>
>
> On Mon, Nov 9, 2015 at 7:58 PM, John Fraizer <john at op-sec.us> wrote:
>
>> *** Please do not disclose the source of this information.
>>
>> We had a call with Arista today to find out precisely what the patch did
>> prior to deploying it to our fleet.  They refused to disclose even though
>> we're under bilateral NDA with them.
>>
>> Enquiring minds wanted to know though so... Patch decompiled...
>>
>> The vulnerability is in their PAM subsystem.  A properly formatted
>> authentication request can cause a buffer overflow and with the proper
>> payload in the overflow, gain root privileges up to and including root bash
>> shell – even bypassing any ACLs on the system.
>>
>> ACLs on the borders (unless those borders are Arista) should limit the
>> external attack surface but, the internal attack surface is huge.  This
>> vulnerability is present in every single device that Arista has ever
>> shipped.
>>
>> Last word was that a very large social media site had deployed the patch
>> to 75% of their Arista fleet with no ill-effects seen to date.  The patch
>> activity was ongoing when I got off the phone with my buddy about 20mins
>> ago.
>>
>> --
>> John Fraizer
>> LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
>>
>>
>>
>> On Thu, Nov 5, 2015 at 7:48 PM, Chris Morrow <morrowc at ops-netman.net>
>> wrote:
>>
>>> At Thu, 5 Nov 2015 16:46:06 -0800,
>>> Mark Boolootian wrote:
>>> >
>>> > ----------- nsp-security Confidential --------
>>> >
>>> > Thanks for sending that along.  Can you tell me what
>>> > the status of this advisory is?  I don't see it as publicly
>>> > visible from Arista as of yet.
>>>
>>> I think arista is/was shipping a swi file as an update you could
>>> install... I'm not sure the status of this alert though :(
>>>
>>
>>
>

More information about the nsp-security mailing list