CVE-2020-9015
published 2020-02-20CVE-2020-9015: Arista DCS-7050QX-32S-R 4.20.9M, DCS-7050CX3-32S-R 4.20.11M, and DCS-7280SRAM-48C6-R 4.22.0.1F devices (and possibly other products) allow attackers to bypass…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.08%
96.5th percentile
Arista DCS-7050QX-32S-R 4.20.9M, DCS-7050CX3-32S-R 4.20.11M, and DCS-7280SRAM-48C6-R 4.22.0.1F devices (and possibly other products) allow attackers to bypass intended TACACS+ shell restrictions via a | character. NOTE: the vendor reports that this is a configuration issue relating to an overly permissive regular expression in the TACACS+ server permitted commands
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arista | dcs-7050cx3-32s-r_firmware | — | — |
| arista | dcs-7050qx-32s-r_firmware | — | — |
| arista | dcs-7280sram-48c6-r_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor TACACS+ shell sessions on Arista devices for pipe character (`|`) injection attempts used to escape restricted shell environments. ↗
- →A Metasploit module exists for this vulnerability targeting Arista devices via SSH with TACACS+ read-only accounts; monitor for exploitation attempts combining SSH access with privilege escalation. ↗
- ·The vulnerability is rooted in a misconfiguration — an overly permissive regular expression in the TACACS+ server permitted commands list — rather than a software bug. Audit TACACS+ permitted command regexes on Arista devices. ↗
- ·Affected device models confirmed include DCS-7050QX-32S-R (4.20.9M), DCS-7050CX3-32S-R (4.20.11M), and DCS-7280SRAM-48C6-R (4.22.0.1F); other Arista products may also be impacted. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/158119/Arista-Restricted-Shell-Escape-Privilege-Escalation.htmlhttps://eos.arista.com/arista-eos-is-not-vulnerable-to-cve-2020-9015/https://securitybytes.mehttps://securitybytes.me/posts/cve-2020-9015/http://packetstormsecurity.com/files/158119/Arista-Restricted-Shell-Escape-Privilege-Escalation.htmlhttps://eos.arista.com/arista-eos-is-not-vulnerable-to-cve-2020-9015/https://securitybytes.mehttps://securitybytes.me/posts/cve-2020-9015/
2020-02-20
Published