[nsp-sec] Arista EOS Remote Privilege Escalation Vulnerability
Igor Gashinsky
igor at yahoo-inc.com
Tue Nov 10 00:49:50 EST 2015
blockquote, div.yahoo_quoted { margin-left: 0 !important; border-left:1px #715FFA solid !important; padding-left:1ex !important; background-color:white !important; } There is at least one other very large Arista customer that I know of that deployed the patch across 100% of their fleet the day of the announcement. So far, no ill effects :)
Happy patching!-igor
On Monday, November 9, 2015, 20:00, John Fraizer <john at op-sec.us> wrote:
----------- nsp-security Confidential --------
*** Please do not disclose the source of this information.
We had a call with Arista today to find out precisely what the patch did
prior to deploying it to our fleet. They refused to disclose even though
we're under bilateral NDA with them.
Enquiring minds wanted to know though so... Patch decompiled...
The vulnerability is in their PAM subsystem. A properly formatted
authentication request can cause a buffer overflow and with the proper
payload in the overflow, gain root privileges up to and including root bash
shell – even bypassing any ACLs on the system.
ACLs on the borders (unless those borders are Arista) should limit the
external attack surface but, the internal attack surface is huge. This
vulnerability is present in every single device that Arista has ever
shipped.
Last word was that a very large social media site had deployed the patch to
75% of their Arista fleet with no ill-effects seen to date. The patch
activity was ongoing when I got off the phone with my buddy about 20mins
ago.
--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
On Thu, Nov 5, 2015 at 7:48 PM, Chris Morrow <morrowc at ops-netman.net> wrote:
> At Thu, 5 Nov 2015 16:46:06 -0800,
> Mark Boolootian wrote:
> >
> > ----------- nsp-security Confidential --------
> >
> > Thanks for sending that along. Can you tell me what
> > the status of this advisory is? I don't see it as publicly
> > visible from Arista as of yet.
>
> I think arista is/was shipping a swi file as an update you could
> install... I'm not sure the status of this alert though :(
>
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list