Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Brocade Vyatta 5400 vRouter contains multiple vulnerabilities
Informations
Name VU#111588 First vendor Publication 2014-10-03
Vendor VU-CERT Last vendor Modification 2014-10-03
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Cvss Base Score 9 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#111588

Brocade Vyatta 5400 vRouter contains multiple vulnerabilities

Original Release date: 03 Oct 2014 | Last revised: 03 Oct 2014

Overview

Brocade Vyatta 5400 vRouter versions 6.4R(x), 6.6R(x), and 6.7R1 contain multiple vulnerabilities.

Description

Brocade Vyatta 5400 vRouter versions 6.4R(x), 6.6R(x), and 6.7R1 contain the following vulnerabilities:

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CVE-2014-4868
The Vyatta 5400 vRouter provides a restricted management console for authenticated users to administer the device. By issuing back tick (`) characters with certain commands, an authenticated user can break out of the management shell and gain access to the underlying Linux shell. The user can then run arbitrary operating system commands with the privileges afforded by their account.

CWE-284: Improper Access Control - CVE-2014-4869
The default permissions granted to users in the "operator" group allow them to access files containing sensitive information, such as encrypted passwords.

CWE-20: Improper Input Validation - CVE-2014-4870
The default configuration also allows non-root users to run scripts in the /opt/vyatta/bin/sudo-users/ directory with elevated (sudo) permissions. Certain input parameters to the /opt/vyatta/bin/sudo-users/vyatta-clear-dhcp-lease.pl script are not properly validated. A malicious unprivileged user can run the script with elevated permissions and leverage its improper input validation condition to spawn an attacker-controlled shell with root privileges.

The CVSS score reflects CVE-2014-4870.

Impact

An authenticated, unprivileged user may be able to run arbitrary operating system commands, access files containing sensitive information, and escalate privileges to those of a root user.

Solution

Brocade does not plan to release a patch for these vulnerabilities at this time. The Brocade Technical Advisory TSB 2014-197-A suggests the following workarounds:

Administrators are advised of the following:

  1. Change default system user name and password
  2. Ensure appropriate organizational policy is in place regarding accessibility to the Brocade Vyatta 5400 vRouter
  3. Evaluate the Brocade Vyatta 5600 vRouter for a full set of RBAC functionality and root access removal. Contact your Brocade representative for details.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
BrocadeAffected07 Aug 201401 Oct 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base9.0AV:N/AC:L/Au:S/C:C/I:C/A:C
Temporal8.1E:POC/RL:U/RC:C
Environmental6.1CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://www.brocade.com/products/all/network-functions-virtualization/product-details/5400-vrouter/index.page

Credit

7Safe would like to credit Owen Shearing for discovering these vulnerabilities.

This document was written by Todd Lewellen.

Other Information

  • CVE IDs:CVE-2014-4868CVE-2014-4869CVE-2014-4870
  • Date Public:03 Oct 2014
  • Date First Published:03 Oct 2014
  • Date Last Updated:03 Oct 2014
  • Document Revision:18

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/111588

CWE : Common Weakness Enumeration

% Id Name
33 % CWE-264 Permissions, Privileges, and Access Controls
33 % CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25)
33 % CWE-20 Improper Input Validation

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 3
Hardware 1

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2014-10-08 05:39:36
  • Multiple Updates
2014-10-07 21:34:49
  • Multiple Updates
2014-10-03 17:22:45
  • First insertion