{"vuid":"VU#937838","idnumber":"937838","name":"Extreme Networks switches with ExtremeWare XOS allow arbitrary command execution","keywords":["Extreme Networks","ExtremeWare XOS","arbitrary command execution","privileged user","root","shell escape","switch"],"overview":"Some Extreme Networks switches running ExtremeWare XOS have a vulnerability  that allows a malicious authenticated user to escape to the underlying operating system command shell with administrator-level (root) privileges.","clean_desc":"Extreme Network switches running ExtremeWare XOS contain a vulnerability that permits arbitrary command execution as the super user of the underlying operating system by any authenticated XOS user, including those created as non-privileged XOS users. In order to exploit this vulnerability, the user must be authenticated to XOS.","impact":"Any authenticated XOS user can potentially execute arbitrary commands with administrator-level access to the underlying operating system of the switches.","resolution":"Apply a patch available from the Vendor. For more information see the vendor field notice FN0215: http://www.extremenetworks.com/services/documentation/FieldNotices_FN0215-Security_Alert_EXOS.asp","workarounds":"Workaround Until and after the patch can be applied, consider restricting account access to only those users who are authorized to make configuration changes. It is also advisable to consider the use of firewalls/port blocking to restrict network authentication access to as few hosts as practical. Note that this will not completely mitigate this vulnerability, but will limit the vectors for attack.","sysaffected":"","thanks":"Thanks to Extreme Networks for directly reporting this vulnerability and providing analytical information. Extreme Networks in turn thanks  Matt Johnson and Stuart McRobert, Department of Computing, Imperial College London who discovered and reported the vulnerability to Extreme Networks.","author":"This document was written by Robert Mead.","public":["h","t","t","p",":","/","/","w","w","w",".","e","x","t","r","e","m","e","n","e","t","w","o","r","k","s",".","c","o","m","/","s","e","r","v","i","c","e","s","/","d","o","c","u","m","e","n","t","a","t","i","o","n","/","F","i","e","l","d","N","o","t","i","c","e","s","_","F","N","0","2","1","5","-","S","e","c","u","r","i","t","y","_","A","l","e","r","t","_","E","X","O","S",".","a","s","p"],"cveids":["CVE-2005-1670"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2005-04-26T14:07:29Z","publicdate":"2005-05-12T00:00:00Z","datefirstpublished":"2005-05-18T17:12:28Z","dateupdated":"2005-05-25T18:39:37Z","revision":21,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"6","cam_impact":"20","cam_easeofexploitation":"11","cam_attackeraccessrequired":"10","cam_scorecurrent":"4.95","cam_scorecurrentwidelyknown":"6.1875","cam_scorecurrentwidelyknownexploited":"11.1375","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":4.95,"vulnote":null}