cbcvebase.
CVE-2018-18556
published 2018-12-17

CVE-2018-18556: A privilege escalation issue was discovered in VyOS 1.1.8. The default configuration also allows operator users to execute the pppd binary with elevated (sudo)…

PriorityP270critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
15.41%
96.4th percentile
A privilege escalation issue was discovered in VyOS 1.1.8. The default configuration also allows operator users to execute the pppd binary with elevated (sudo) permissions. Certain input parameters are not properly validated. A malicious operator user can run the binary with elevated permissions and leverage its improper input validation condition to spawn an attacker-controlled shell with root privileges.

Affected

1 ranges
VendorProductVersion rangeFixed in
vyosvyos

Detection & IOCsextracted from sources · hover to see the quote

path/opt/vyatta/bin/sudo-users/vyatta-show-lldp.pl
processpppd
versionVyOS 1.1.8
  • Monitor for operator-level users invoking pppd via sudo, which should not occur in legitimate usage and may indicate privilege escalation attempts.
  • Detect command injection attempts via vyatta-show-lldp.pl executed under sudo by operator-privileged users, which is the privilege escalation vector used by the Metasploit module.
  • Detect restricted-shell escape attempts via the telnet command, which is the initial breakout step before privilege escalation on VyOS systems.
  • Alert on SSH logins to VyOS 1.0.0 through 1.1.8 by operator-level accounts followed by shell process spawning (e.g., /bin/sh or /bin/bash) as root, indicating successful exploitation.
  • ·The insecure sudo permissions for pppd and vyatta-show-lldp.pl are part of the DEFAULT VyOS configuration, meaning all unpatched VyOS 1.0.0–1.1.8 deployments are affected out-of-the-box without any additional misconfiguration.
  • ·Both amd64 and i386 architectures of VyOS are confirmed vulnerable, broadening the affected deployment surface.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.