CVE-2020-9015
📋 TL;DR
This vulnerability allows attackers to bypass TACACS+ shell restrictions on affected Arista network devices by using a pipe character (|) to execute unauthorized commands. It affects Arista DCS-7050QX-32S-R, DCS-7050CX3-32S-R, and DCS-7280SRAM-48C6-R devices running specific firmware versions. The vendor states this is a configuration issue with an overly permissive regular expression in TACACS+ server settings.
💻 Affected Systems
- Arista DCS-7050QX-32S-R
- Arista DCS-7050CX3-32S-R
- Arista DCS-7280SRAM-48C6-R
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative access to network devices, enabling network compromise, data exfiltration, or disruption of critical infrastructure.
Likely Case
Privilege escalation allowing unauthorized users to execute restricted commands and potentially gain administrative control.
If Mitigated
Minimal impact if proper TACACS+ configuration and network segmentation are implemented.
🎯 Exploit Status
Exploit requires initial access to restricted shell. Public proof-of-concept demonstrates using pipe character to bypass command restrictions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://eos.arista.com/arista-eos-is-not-vulnerable-to-cve-2020-9015/
Restart Required: No
Instructions:
No patch required. Fix involves updating TACACS+ server configuration to use proper regular expressions for command authorization.
🔧 Temporary Workarounds
Update TACACS+ Command Authorization
allModify TACACS+ server configuration to use stricter regular expressions that properly restrict command execution.
# On TACACS+ server, update command authorization regex to properly handle pipe characters
# Example: Ensure regex patterns don't allow | character in command arguments
Implement Network Segmentation
allRestrict access to device management interfaces to authorized users and networks only.
# Configure ACLs to limit management access
# Example: management access-list standard MGMT-ACL
# permit ip 10.0.0.0/8 any
# deny ip any any
🧯 If You Can't Patch
- Implement strict network segmentation to isolate management interfaces
- Monitor for unauthorized command execution attempts in logs
🔍 How to Verify
Check if Vulnerable:
Test if pipe character (|) can be used in restricted shell to execute unauthorized commands. Check TACACS+ server configuration for permissive regex patterns.Check Version:
show version | include Software image versionVerify Fix Applied:
Attempt to use pipe character in restricted shell - should be blocked. Verify TACACS+ configuration uses proper command authorization.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in TACACS+ logs
- Pipe character usage in restricted shell commands
- Failed authorization attempts followed by successful privileged commands
Network Indicators:
- Unexpected traffic from network devices
- Management interface connections from unauthorized sources
SIEM Query:
source="tacacs" AND (command="*|*" OR command="*pipe*" OR command="*shell*" OR command="*bash*")🔗 References
- http://packetstormsecurity.com/files/158119/Arista-Restricted-Shell-Escape-Privilege-Escalation.html
- https://eos.arista.com/arista-eos-is-not-vulnerable-to-cve-2020-9015/
- https://securitybytes.me
- https://securitybytes.me/posts/cve-2020-9015/
- http://packetstormsecurity.com/files/158119/Arista-Restricted-Shell-Escape-Privilege-Escalation.html
- https://eos.arista.com/arista-eos-is-not-vulnerable-to-cve-2020-9015/
- https://securitybytes.me
- https://securitybytes.me/posts/cve-2020-9015/
