QwikSec

Security Database

CVE

CWE

Training

CVE-2018-18556

Published: Dec 17, 2018

Modified: Aug 5, 2024

PUBLISHED

Description

A privilege escalation issue was discovered in VyOS 1.1.8. The default configuration also allows operator users to execute the pppd binary with elevated (sudo) permissions. Certain input parameters are not properly validated. A malicious operator user can run the binary with elevated permissions and leverage its improper input validation condition to spawn an attacker-controlled shell with root privileges.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://blog.vyos.io/the-operator-level-is-proved-insecure-and-will-be-removed-in-the-next-releases

x_refsource_CONFIRM

https://blog.mirch.io/2018/11/05/cve-2018-18556-vyos-privilege-escalation-via-sudo-pppd-for-operator-users/

x_refsource_MISC

http://packetstormsecurity.com/files/159234/VyOS-restricted-shell-Escape-Privilege-Escalation.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.