search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Brocade Vyatta 5400 vRouter contains multiple vulnerabilities

Vulnerability Note VU#111588

Original Release Date: 2014-10-03 | Last Revised: 2014-10-03

Overview

Brocade Vyatta 5400 vRouter versions 6.4R(x), 6.6R(x), and 6.7R1 contain multiple vulnerabilities.

Description

Brocade Vyatta 5400 vRouter versions 6.4R(x), 6.6R(x), and 6.7R1 contain the following vulnerabilities:

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CVE-2014-4868
The Vyatta 5400 vRouter provides a restricted management console for authenticated users to administer the device. By issuing back tick (`) characters with certain commands, an authenticated user can break out of the management shell and gain access to the underlying Linux shell. The user can then run arbitrary operating system commands with the privileges afforded by their account.

CWE-284: Improper Access Control - CVE-2014-4869
The default permissions granted to users in the "operator" group allow them to access files containing sensitive information, such as encrypted passwords.

CWE-20: Improper Input Validation - CVE-2014-4870
The default configuration also allows non-root users to run scripts in the /opt/vyatta/bin/sudo-users/ directory with elevated (sudo) permissions. Certain input parameters to the /opt/vyatta/bin/sudo-users/vyatta-clear-dhcp-lease.pl script are not properly validated. A malicious unprivileged user can run the script with elevated permissions and leverage its improper input validation condition to spawn an attacker-controlled shell with root privileges.

The CVSS score reflects CVE-2014-4870.

Impact

An authenticated, unprivileged user may be able to run arbitrary operating system commands, access files containing sensitive information, and escalate privileges to those of a root user.

Solution

Brocade does not plan to release a patch for these vulnerabilities at this time. The Brocade Technical Advisory TSB 2014-197-A suggests the following workarounds:

Administrators are advised of the following:

    1. Change default system user name and password
    2. Ensure appropriate organizational policy is in place regarding accessibility to the Brocade Vyatta 5400 vRouter
    3. Evaluate the Brocade Vyatta 5600 vRouter for a full set of RBAC functionality and root access removal. Contact your Brocade representative for details.

    Vendor Information

    111588
     
    Expand all

    Brocade Affected

    Notified:  August 07, 2014 Updated: October 01, 2014

    Status

    Affected

    Vendor Statement

    Brocade does not plan to release a patch for these issues at this time.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Vendor References


    CVSS Metrics

    Group Score Vector
    Base 9 AV:N/AC:L/Au:S/C:C/I:C/A:C
    Temporal 8.1 E:POC/RL:U/RC:C
    Environmental 6.1 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

    References

    http://www.brocade.com/products/all/network-functions-virtualization/product-details/5400-vrouter/index.page

    Acknowledgements

    7Safe would like to credit Owen Shearing for discovering these vulnerabilities.

    This document was written by Todd Lewellen.

    Other Information

    CVE IDs: CVE-2014-4868, CVE-2014-4869, CVE-2014-4870
    Date Public: 2014-10-03
    Date First Published: 2014-10-03
    Date Last Updated: 2014-10-03 13:32 UTC
    Document Revision: 20

    Sponsored by CISA.

    Download PGP Key

    Read CERT/CC Blog

    Learn about Vulnerability Analysis