Vulnerability Details : CVE-2018-18556
Public exploit exists!
A privilege escalation issue was discovered in VyOS 1.1.8. The default configuration also allows operator users to execute the pppd binary with elevated (sudo) permissions. Certain input parameters are not properly validated. A malicious operator user can run the binary with elevated permissions and leverage its improper input validation condition to spawn an attacker-controlled shell with root privileges.
Vulnerability category: Gain privilege
Exploit prediction scoring system (EPSS) score for CVE-2018-18556
Probability of exploitation activity in the next 30 days: 2.57%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 90 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2018-18556
-
VyOS restricted-shell Escape and Privilege Escalation
Disclosure Date: 2018-11-05First seen: 2020-09-19exploit/linux/ssh/vyos_restricted_shell_privescThis module exploits command injection vulnerabilities and an insecure default sudo configuration on VyOS versions 1.0.0 <= 1.1.8 to execute arbitrary system commands as root. VyOS features a `restricted-shell` system shell intended for use by low
CVSS scores for CVE-2018-18556
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST |
9.9
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
3.1
|
6.0
|
NIST |
References for CVE-2018-18556
-
https://blog.mirch.io/2018/11/05/cve-2018-18556-vyos-privilege-escalation-via-sudo-pppd-for-operator-users/
CVE-2018-18556 – VyOS Privilege escalation via sudo pppd for operator users – Rich MirchExploit;Third Party Advisory
-
https://blog.vyos.io/the-operator-level-is-proved-insecure-and-will-be-removed-in-the-next-releases
The "operator" level is proved insecure and will be removed in the next releasesExploit;Vendor Advisory
-
http://packetstormsecurity.com/files/159234/VyOS-restricted-shell-Escape-Privilege-Escalation.html
VyOS restricted-shell Escape / Privilege Escalation ≈ Packet StormExploit;Third Party Advisory;VDB Entry
Products affected by CVE-2018-18556
- cpe:2.3:o:vyos:vyos:1.1.8:*:*:*:*:*:*:*