CVE-2015-5699

Vulnerability

A command injection vulnerability exists in the Switch Configuration Tools Backend (clcmd_server) of Cumulus Linux 2.5.3 and earlier. The server, when processing commands that end in user-supplied labels, stops validating the input against its whitelist (known as the Rosetta) once it reaches the label portion. The entire label string, including shell metacharacters, is then passed to the shell for execution. This allows an attacker to append arbitrary commands that are executed with the privileges of the server, which runs as root [1].

Exploitation

An attacker must have local access to the system. The command injection relies on supplying a specially crafted label that terminates the intended command and introduces a new one. The injected command must be enclosed in single quotes and cannot contain spaces, as clcmd_server uses spaces to delimit command arguments. To bypass the space limitation, an attacker can write a script in a directory such as their home directory and call that script from the injected command [1].

Impact

Successful exploitation results in arbitrary command execution with root privileges. This constitutes a local privilege escalation, allowing an unprivileged user to gain full control of the system [1].

Mitigation

Cumulus Linux 2.5.3 and earlier are affected. No later version was identified in the references as containing a fix. Users should upgrade to a patched version of Cumulus Linux if available, or restrict local access to trusted users. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the report date [1].