CVE-2018-18556

CRITICAL

VyOS restricted-shell Escape and Privilege Escalation

Title source: metasploit

Description

A privilege escalation issue was discovered in VyOS 1.1.8. The default configuration also allows operator users to execute the pppd binary with elevated (sudo) permissions. Certain input parameters are not properly validated. A malicious operator user can run the binary with elevated permissions and leverage its improper input validation condition to spawn an attacker-controlled shell with root privileges.

Exploits (1)

metasploit WORKING POC GREAT

by Rich Mirch, bcoles · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/ssh/vyos_restricted_shell_privesc.rb

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/159234/VyOS-restricted-shell-Escape-Privilege-Escalation.html

[Exploit, Third Party Advisory] https://blog.mirch.io/2018/11/05/cve-2018-18556-vyos-privilege-escalation-via-sudo-pppd-for-operator-users/

[Exploit, Vendor Advisory] https://blog.vyos.io/the-operator-level-is-proved-insecure-and-will-be-removed-in-the-next-releases

Scores

CVSS v3 9.9

EPSS 0.6888

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

Status published

Products (1)

vyos/vyos 1.1.8

Published Dec 17, 2018

Tracked Since Feb 18, 2026