CVE-2024-4578 (GCVE-0-2024-4578)
Vulnerability from cvelistv5 – Published: 2024-06-27 18:31 – Updated: 2024-08-01 20:47
VLAI?
Title
Privilege escalation in Arista Wireless Access Points
Summary
This Advisory describes an issue that impacts Arista Wireless Access Points. Any entity with the ability to authenticate via SSH to an affected AP as the “config” user is able to cause a privilege escalation via spawning a bash shell. The SSH CLI session does not require high permissions to exploit this vulnerability, but the config password is required to establish the session. The spawned shell is able to obtain root privileges.
Severity ?
8.4 (High)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Arista Networks | Arista Wireless Access Points |
Affected:
13.0.2.x , ≤ 13.0.2-28-vv1002
(custom)
Affected: 15.x (custom) Affected: 16.x , ≤ 16.1.051-vv6 (custom) |
Credits
Arista would like to acknowledge and thank David Miller from cyllective AG (https://cyllective.com) for responsibly reporting CVE-2024-4578
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:arista:wireless_access_point_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "wireless_access_point_firmware",
"vendor": "arista",
"versions": [
{
"lessThanOrEqual": "13.0.2-28-vv1002",
"status": "affected",
"version": "13.0.2.x",
"versionType": "custom"
},
{
"status": "affected",
"version": "15.x"
},
{
"lessThanOrEqual": "16.1.051-vv6",
"status": "affected",
"version": "16.x",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4578",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-05T14:06:50.319490Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T17:28:36.740Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:47:41.270Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/19844-security-advisory-0098"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Arista Wireless Access Points",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "13.0.2-28-vv1002",
"status": "affected",
"version": "13.0.2.x",
"versionType": "custom"
},
{
"status": "affected",
"version": "15.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "16.1.051-vv6",
"status": "affected",
"version": "16.x",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2024-4578, the following condition must be met:\u003c/p\u003e\u003cp\u003eThe user must have knowledge of the config shell password to gain initial access.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "In order to be vulnerable to CVE-2024-4578, the following condition must be met:\n\nThe user must have knowledge of the config shell password to gain initial access."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arista would like to acknowledge and thank David Miller from cyllective AG (https://cyllective.com) for responsibly reporting CVE-2024-4578"
}
],
"datePublic": "2024-06-25T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis Advisory describes an issue that impacts Arista Wireless Access Points. Any entity with the ability to authenticate via SSH to an affected AP as the \u201cconfig\u201d user is able to cause a privilege escalation via spawning a bash shell. The SSH CLI session does not require high permissions to exploit this vulnerability, but the config password is required to establish the session. The spawned shell is able to obtain root privileges.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "This Advisory describes an issue that impacts Arista Wireless Access Points. Any entity with the ability to authenticate via SSH to an affected AP as the \u201cconfig\u201d user is able to cause a privilege escalation via spawning a bash shell. The SSH CLI session does not require high permissions to exploit this vulnerability, but the config password is required to establish the session. The spawned shell is able to obtain root privileges."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-27T18:31:06.468Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/19844-security-advisory-0098"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eArista recommends customers move to the latest version of each release that contains all the fixes listed below:\u003c/p\u003e\u003cp\u003eCVE-2024-4578 has been fixed in the 13.x and 16.x release trains, as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003e13.0.2-28-vv1101 and later releases in the 13.0.2.x train\u003c/li\u003e\u003cli\u003e16.1.0-51-vv703 and later releases in the 16.1.0.x train\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor more information about upgrading WiFi AP Software, please see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://wifihelp.arista.com/post/upgrade-server\"\u003eUpgrade Server\u003c/a\u003e\u0026nbsp;and \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://wifihelp.arista.com/post/upgrading-firmware-of-wifi-access-points-with-on-premises-wireless-manager\"\u003eUpgrading Firmware of Wi-Fi Access Points with On-Premises Wireless Manager\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Arista recommends customers move to the latest version of each release that contains all the fixes listed below:\n\nCVE-2024-4578 has been fixed in the 13.x and 16.x release trains, as follows:\n\n * 13.0.2-28-vv1101 and later releases in the 13.0.2.x train\n * 16.1.0-51-vv703 and later releases in the 16.1.0.x train\n\n\nFor more information about upgrading WiFi AP Software, please see Upgrade Server https://wifihelp.arista.com/post/upgrade-server \u00a0and Upgrading Firmware of Wi-Fi Access Points with On-Premises Wireless Manager https://wifihelp.arista.com/post/upgrading-firmware-of-wifi-access-points-with-on-premises-wireless-manager"
}
],
"source": {
"advisory": "98",
"defect": [
"BUG948397"
],
"discovery": "EXTERNAL"
},
"title": "Privilege escalation in Arista Wireless Access Points",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eTo mitigate the attack, configure a strong config shell password and share the password only with admin and/or trusted parties.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "To mitigate the attack, configure a strong config shell password and share the password only with admin and/or trusted parties."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2024-4578",
"datePublished": "2024-06-27T18:31:06.468Z",
"dateReserved": "2024-05-06T22:39:09.409Z",
"dateUpdated": "2024-08-01T20:47:41.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-4578\",\"sourceIdentifier\":\"psirt@arista.com\",\"published\":\"2024-06-27T19:15:15.347\",\"lastModified\":\"2024-11-21T09:43:08.790\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"This Advisory describes an issue that impacts Arista Wireless Access Points. Any entity with the ability to authenticate via SSH to an affected AP as the \u201cconfig\u201d user is able to cause a privilege escalation via spawning a bash shell. The SSH CLI session does not require high permissions to exploit this vulnerability, but the config password is required to establish the session. The spawned shell is able to obtain root privileges.\"},{\"lang\":\"es\",\"value\":\"Este aviso describe un problema que afecta los puntos de acceso inal\u00e1mbricos de Arista. Cualquier entidad con la capacidad de autenticarse a trav\u00e9s de SSH en un AP afectado como usuario \\\"config\\\" puede provocar una escalada de privilegios generando un shell bash. La sesi\u00f3n SSH CLI no requiere permisos elevados para aprovechar esta vulnerabilidad, pero se requiere la contrase\u00f1a de configuraci\u00f3n para establecer la sesi\u00f3n. El shell generado puede obtener privilegios de root.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@arista.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.7,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"psirt@arista.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"}]}],\"references\":[{\"url\":\"https://www.arista.com/en/support/advisories-notices/security-advisory/19844-security-advisory-0098\",\"source\":\"psirt@arista.com\"},{\"url\":\"https://www.arista.com/en/support/advisories-notices/security-advisory/19844-security-advisory-0098\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.arista.com/en/support/advisories-notices/security-advisory/19844-security-advisory-0098\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T20:47:41.270Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-4578\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-05T14:06:50.319490Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:o:arista:wireless_access_point_firmware:*:*:*:*:*:*:*:*\"], \"vendor\": \"arista\", \"product\": \"wireless_access_point_firmware\", \"versions\": [{\"status\": \"affected\", \"version\": \"13.0.2.x\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"13.0.2-28-vv1002\"}, {\"status\": \"affected\", \"version\": \"15.x\"}, {\"status\": \"affected\", \"version\": \"16.x\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"16.1.051-vv6\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-05T17:07:13.250Z\"}}], \"cna\": {\"title\": \"Privilege escalation in Arista Wireless Access Points\", \"source\": {\"defect\": [\"BUG948397\"], \"advisory\": \"98\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Arista would like to acknowledge and thank David Miller from cyllective AG (https://cyllective.com) for responsibly reporting CVE-2024-4578\"}], \"impacts\": [{\"capecId\": \"CAPEC-122\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-122 Privilege Abuse\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.4, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Arista Networks\", \"product\": \"Arista Wireless Access Points\", \"versions\": [{\"status\": \"affected\", \"version\": \"13.0.2.x\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"13.0.2-28-vv1002\"}, {\"status\": \"affected\", \"version\": \"15.x\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"16.x\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"16.1.051-vv6\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Arista recommends customers move to the latest version of each release that contains all the fixes listed below:\\n\\nCVE-2024-4578 has been fixed in the 13.x and 16.x release trains, as follows:\\n\\n * 13.0.2-28-vv1101 and later releases in the 13.0.2.x train\\n * 16.1.0-51-vv703 and later releases in the 16.1.0.x train\\n\\n\\nFor more information about upgrading WiFi AP Software, please see Upgrade Server https://wifihelp.arista.com/post/upgrade-server \\u00a0and Upgrading Firmware of Wi-Fi Access Points with On-Premises Wireless Manager https://wifihelp.arista.com/post/upgrading-firmware-of-wifi-access-points-with-on-premises-wireless-manager\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eArista recommends customers move to the latest version of each release that contains all the fixes listed below:\u003c/p\u003e\u003cp\u003eCVE-2024-4578 has been fixed in the 13.x and 16.x release trains, as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003e13.0.2-28-vv1101 and later releases in the 13.0.2.x train\u003c/li\u003e\u003cli\u003e16.1.0-51-vv703 and later releases in the 16.1.0.x train\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor more information about upgrading WiFi AP Software, please see \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://wifihelp.arista.com/post/upgrade-server\\\"\u003eUpgrade Server\u003c/a\u003e\u0026nbsp;and \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://wifihelp.arista.com/post/upgrading-firmware-of-wifi-access-points-with-on-premises-wireless-manager\\\"\u003eUpgrading Firmware of Wi-Fi Access Points with On-Premises Wireless Manager\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003cbr\u003e\", \"base64\": false}]}], \"datePublic\": \"2024-06-25T15:00:00.000Z\", \"references\": [{\"url\": \"https://www.arista.com/en/support/advisories-notices/security-advisory/19844-security-advisory-0098\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"To mitigate the attack, configure a strong config shell password and share the password only with admin and/or trusted parties.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eTo mitigate the attack, configure a strong config shell password and share the password only with admin and/or trusted parties.\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"This Advisory describes an issue that impacts Arista Wireless Access Points. Any entity with the ability to authenticate via SSH to an affected AP as the \\u201cconfig\\u201d user is able to cause a privilege escalation via spawning a bash shell. The SSH CLI session does not require high permissions to exploit this vulnerability, but the config password is required to establish the session. The spawned shell is able to obtain root privileges.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eThis Advisory describes an issue that impacts Arista Wireless Access Points. Any entity with the ability to authenticate via SSH to an affected AP as the \\u201cconfig\\u201d user is able to cause a privilege escalation via spawning a bash shell. The SSH CLI session does not require high permissions to exploit this vulnerability, but the config password is required to establish the session. The spawned shell is able to obtain root privileges.\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-77\", \"description\": \"CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)\"}]}], \"configurations\": [{\"lang\": \"en\", \"value\": \"In order to be vulnerable to CVE-2024-4578, the following condition must be met:\\n\\nThe user must have knowledge of the config shell password to gain initial access.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIn order to be vulnerable to CVE-2024-4578, the following condition must be met:\u003c/p\u003e\u003cp\u003eThe user must have knowledge of the config shell password to gain initial access.\u003c/p\u003e\u003cbr\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7\", \"shortName\": \"Arista\", \"dateUpdated\": \"2024-06-27T18:31:06.468Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-4578\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T20:47:41.270Z\", \"dateReserved\": \"2024-05-06T22:39:09.409Z\", \"assignerOrgId\": \"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7\", \"datePublished\": \"2024-06-27T18:31:06.468Z\", \"assignerShortName\": \"Arista\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…