The following section lists potential vulnerabilities and their impact to ExtremeXOS 22.4.
Thanks to the research team at IDW Security (http://www.idw.pt/) for identifying and reporting these issues to Extreme Networks.
Important
You must enable FIPS for this fix to take effect.| Impact | Escape from exsh restricted shell |
| Attack Vector | local |
| CVS base score | 5.1 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N) |
| Description | An authenticated user with admin privileges can spawn an interactive shell on the system. |
| Detail | A user with admin privileges on the switch can invoke an interactive shell with access to the underlying operating system. |
This issue is documented in CR xos0069140, which is fixed in ExtremeXOS 22.3-1-Patch1-4 (see Resolved Issues in ExtremeXOS 22.4).
Important
You must enable FIPS for this fix to take effect.| Impact | Information disclosure |
| Attack Vector | local |
| CVS base score | 5.1 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N) |
| Description | An authenticated user with admin privileges can get read access for any file on the filesystem. |
| Detail | By obtaining an interactive shell with admin privileges as defined in CVE-2017-14331 (preceding), you can access system files owned by root and without world read-access. |
This issue is documented in CR xos0069140, which is fixed in ExtremeXOS 22.3-1-Patch1-4 (see Resolved Issues in ExtremeXOS 22.4).
Important
You must enable FIPS for this fix to take effect.| Impact | Privilege escalation (root interactive shell) |
| Attack Vector | local |
| CVS base score | 6.7 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) |
| Description | An authenticated user with admin privileges can get an interactive root shell on the switch. |
| Detail | By exploiting both CVE-2017-1427 and CVE-2017-14331, you can escalate to root by spawning a new exsh shell in debug mode and invoking an interactive shell with root privileges. |
Important
You must enable FIPS for this fix to take effect.| Impact | Privilege escalation (root interactive shell) |
| Attack Vector | local |
| CVS base score | 6.7 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) |
| Description | An authenticated user with admin privileges can get an interactive root shell on the platform. |
| Detail | You can get an interactive root shell on the switch by creating a process that runs with elevated privileges. |
This issue is documented in CR xos0069140, which is fixed in ExtremeXOS 22.3-1-Patch1-4 (see Resolved Issues in ExtremeXOS 22.4).
| Impact | Denial-of-service |
| Attack Vector | remote |
| CVS base score | 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |
| Description | A remote user can force the switch to reboot by sending a single, specially crafted packet to the web server. |
This issue is documented in CR xos0069140, which is fixed in ExtremeXOS 22.3-1-Patch1-4 (see Resolved Issues in ExtremeXOS 22.4).
| Impact | Session hijacking |
| Attack Vector | remote |
| CVS base score | 9.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) |
| Description | A remote user can hijack a session on the switch web server. |
| Detail | A remote user can hijack a session on the switch web server by using non-trivial methods to determine the SessionIDs used in authentication. |
We do not believe that ExtremeXOS 22.4 is significantly vulnerable to the “SSL 64-bit Block Size Cipher Suites Supported” (SWEET32) security risk.
SSL: ExtremeXOS uses the thttpd webserver that is not vulnerable to this type of attack because thttpd does not support persistent SSL connections, which is a requirement of the exploit.
SSH: SSH is potentially more vulnerable depending on the ciphers used. However, ExtremeXOS allows you to mitigate this vulnerability by configuring the advertised ciphers.
For more information about the SWEET32 threat, see:
Print
this page
Email this topic
Feedback
View PDF
Download EPUB