Extreme EXOS 16.x, 21.x, and 22.x allows administrators to obtain a root shell via vectors involving an exsh debug shell.
Weakness
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Extremexos | Extremenetworks | 15.7 (including) | 15.7 (including) |
| Extremexos | Extremenetworks | 16.1.2 (including) | 16.1.2 (including) |
| Extremexos | Extremenetworks | 16.1.3 (including) | 16.1.3 (including) |
| Extremexos | Extremenetworks | 16.1.4 (including) | 16.1.4 (including) |
| Extremexos | Extremenetworks | 16.2 (including) | 16.2 (including) |
| Extremexos | Extremenetworks | 16.2.2 (including) | 16.2.2 (including) |
| Extremexos | Extremenetworks | 16.2.3 (including) | 16.2.3 (including) |
| Extremexos | Extremenetworks | 16.2.4 (including) | 16.2.4 (including) |
| Extremexos | Extremenetworks | 21.1 (including) | 21.1 (including) |
| Extremexos | Extremenetworks | 21.1.1 (including) | 21.1.1 (including) |
| Extremexos | Extremenetworks | 21.1.2 (including) | 21.1.2 (including) |
| Extremexos | Extremenetworks | 21.1.3 (including) | 21.1.3 (including) |
| Extremexos | Extremenetworks | 21.1.4 (including) | 21.1.4 (including) |
| Extremexos | Extremenetworks | 22.1 (including) | 22.1 (including) |
| Extremexos | Extremenetworks | 22.2 (including) | 22.2 (including) |
| Extremexos | Extremenetworks | 22.3 (including) | 22.3 (including) |
| Extremexos | Extremenetworks | 22.4 (including) | 22.4 (including) |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/122.html
- https://cwe.mitre.org/data/definitions/233.html
- https://cwe.mitre.org/data/definitions/58.html