Vulnerability-Lookup

GHSA-WXQ3-C3WP-JM5Q

Vulnerability from github – Published: 2024-06-27 21:32 – Updated: 2024-06-27 21:32

Details

This Advisory describes an issue that impacts Arista Wireless Access Points. Any entity with the ability to authenticate via SSH to an affected AP as the “config” user is able to cause a privilege escalation via spawning a bash shell. The SSH CLI session does not require high permissions to exploit this vulnerability, but the config password is required to establish the session. The spawned shell is able to obtain root privileges.

Severity ?

8.4 (High)


                  
                    CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-4578"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-27T19:15:15Z",
    "severity": "HIGH"
  },
  "details": "This Advisory describes an issue that impacts Arista Wireless Access Points. Any entity with the ability to authenticate via SSH to an affected AP as the \u201cconfig\u201d user is able to cause a privilege escalation via spawning a bash shell. The SSH CLI session does not require high permissions to exploit this vulnerability, but the config password is required to establish the session. The spawned shell is able to obtain root privileges.",
  "id": "GHSA-wxq3-c3wp-jm5q",
  "modified": "2024-06-27T21:32:08Z",
  "published": "2024-06-27T21:32:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4578"
    },
    {
      "type": "WEB",
      "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/19844-security-advisory-0098"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2024-4578 (GCVE-0-2024-4578)

Vulnerability from cvelistv5 – Published: 2024-06-27 18:31 – Updated: 2024-08-01 20:47

Title

Privilege escalation in Arista Wireless Access Points

Summary

Severity ?

8.4 (High)


                        
                          CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Assigner

Arista

References

URL

Tags

https://www.arista.com/en/support/advisories-noti…

Impacted products

	Vendor	Product	Version
	Arista Networks	Arista Wireless Access Points	Affected: 13.0.2.x , ≤ 13.0.2-28-vv1002 (custom) Affected: 15.x (custom) Affected: 16.x , ≤ 16.1.051-vv6 (custom)

Credits

Arista would like to acknowledge and thank David Miller from cyllective AG (https://cyllective.com) for responsibly reporting CVE-2024-4578

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:arista:wireless_access_point_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "wireless_access_point_firmware",
            "vendor": "arista",
            "versions": [
              {
                "lessThanOrEqual": "13.0.2-28-vv1002",
                "status": "affected",
                "version": "13.0.2.x",
                "versionType": "custom"
              },
              {
                "status": "affected",
                "version": "15.x"
              },
              {
                "lessThanOrEqual": "16.1.051-vv6",
                "status": "affected",
                "version": "16.x",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-4578",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-05T14:06:50.319490Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-30T17:28:36.740Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T20:47:41.270Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/19844-security-advisory-0098"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Arista Wireless Access Points",
          "vendor": "Arista Networks",
          "versions": [
            {
              "lessThanOrEqual": "13.0.2-28-vv1002",
              "status": "affected",
              "version": "13.0.2.x",
              "versionType": "custom"
            },
            {
              "status": "affected",
              "version": "15.x",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "16.1.051-vv6",
              "status": "affected",
              "version": "16.x",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIn order to be vulnerable to CVE-2024-4578, the following condition must be met:\u003c/p\u003e\u003cp\u003eThe user must have knowledge of the config shell password to gain initial access.\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "In order to be vulnerable to CVE-2024-4578, the following condition must be met:\n\nThe user must have knowledge of the config shell password to gain initial access."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Arista would like to acknowledge and thank David Miller from cyllective AG (https://cyllective.com) for responsibly reporting CVE-2024-4578"
        }
      ],
      "datePublic": "2024-06-25T15:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis Advisory describes an issue that impacts Arista Wireless Access Points. Any entity with the ability to authenticate via SSH to an affected AP as the \u201cconfig\u201d user is able to cause a privilege escalation via spawning a bash shell. The SSH CLI session does not require high permissions to exploit this vulnerability, but the config password is required to establish the session. The spawned shell is able to obtain root privileges.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "This Advisory describes an issue that impacts Arista Wireless Access Points. Any entity with the ability to authenticate via SSH to an affected AP as the \u201cconfig\u201d user is able to cause a privilege escalation via spawning a bash shell. The SSH CLI session does not require high permissions to exploit this vulnerability, but the config password is required to establish the session. The spawned shell is able to obtain root privileges."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-122",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-122 Privilege Abuse"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-27T18:31:06.468Z",
        "orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
        "shortName": "Arista"
      },
      "references": [
        {
          "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/19844-security-advisory-0098"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eArista recommends customers move to the latest version of each release that contains all the fixes listed below:\u003c/p\u003e\u003cp\u003eCVE-2024-4578 has been fixed in the 13.x and 16.x release trains, as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003e13.0.2-28-vv1101 and later releases in the 13.0.2.x train\u003c/li\u003e\u003cli\u003e16.1.0-51-vv703 and later releases in the 16.1.0.x train\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor more information about upgrading WiFi AP Software, please see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://wifihelp.arista.com/post/upgrade-server\"\u003eUpgrade Server\u003c/a\u003e\u0026nbsp;and \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://wifihelp.arista.com/post/upgrading-firmware-of-wifi-access-points-with-on-premises-wireless-manager\"\u003eUpgrading Firmware of Wi-Fi Access Points with On-Premises Wireless Manager\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "Arista recommends customers move to the latest version of each release that contains all the fixes listed below:\n\nCVE-2024-4578 has been fixed in the 13.x and 16.x release trains, as follows:\n\n  *  13.0.2-28-vv1101 and later releases in the 13.0.2.x train\n  *  16.1.0-51-vv703 and later releases in the 16.1.0.x train\n\n\nFor more information about upgrading WiFi AP Software, please see  Upgrade Server https://wifihelp.arista.com/post/upgrade-server \u00a0and  Upgrading Firmware of Wi-Fi Access Points with On-Premises Wireless Manager https://wifihelp.arista.com/post/upgrading-firmware-of-wifi-access-points-with-on-premises-wireless-manager"
        }
      ],
      "source": {
        "advisory": "98",
        "defect": [
          "BUG948397"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Privilege escalation in Arista Wireless Access Points",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eTo mitigate the attack, configure a strong config shell password and share the password only with admin and/or trusted parties.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "To mitigate the attack, configure a strong config shell password and share the password only with admin and/or trusted parties."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
    "assignerShortName": "Arista",
    "cveId": "CVE-2024-4578",
    "datePublished": "2024-06-27T18:31:06.468Z",
    "dateReserved": "2024-05-06T22:39:09.409Z",
    "dateUpdated": "2024-08-01T20:47:41.270Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-WXQ3-C3WP-JM5Q

CVE-2024-4578 (GCVE-0-2024-4578)

Tags

Sightings

Nomenclature