Symptom
Cisco Nexus devices running Cisco NX-OS software contain privilege escalation vulnerabilities within the Python subsystem that could allow an authenticated, local attacker to
gain elevated privileges.
The vulnerabilities are due to insufficient hardening of the underlying operating system on which NX-OS is based. An attacker that has sufficient privileges to execute arbitrary
python scripts on an affected device can leverage this access to elevate their privileges to that of root.
Conditions
Cisco Nexus devices running an affected version of Cisco NX-OS software.
Workaround
Restrict access to python related commands to highly trusted users only via AAA policy.
Further Problem Description
Credit:
Cisco would like to thank Jens Krabbenhoeft for discovering and reporting this vulnerability.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/6.5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:U/RC:C&version=2.0
CVE ID CVE-2015-4234 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
