This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SA-2023-103 - Privilege escalation via Redis server (CVE-2023-43119)

SamPirok
Community Manager Community Manager
Community Manager
‎10-09-2023 06:05 AM

Summary

It is possible to use telnet to gain privilege escalation via the Redis server to perform arbitrary filesystem operations with root privilege.

Extreme Networks acknowledges and thanks David Yesland of Rhino Security Labs for reporting this vulnerability to Extreme under coordinated vulnerability disclosure protocols.

Products not listed in the Products Potentially Affected section have not been evaluated. Furthermore, products that have exceeded any software maintenance time periods are also not evaluated and will not be published. Please consult End of Sale and End of Service Life - Extreme Networks for the EOL notices related to the product under question.

 

Products Potentially Affected

OS/Product Exposure
Switch Engine (EXOS) Yes

 

Repair Recommendations

Switch Engine (EXOS):

  • Fixed in 22.7.5.1 or later.
  • Fixed in 31.3.100 or later.
  • Fixed in 31.7.2.28 or later.
  • Fixed in 32.5.1.5 or later.

 

Please see the full Security Advisory article here for more details and updated information. 

0 Kudos
1 Comment
FredrikB-NN2
Contributor
‎11-09-2023 04:51 AM
‎11-09-2023 04:51 AM

We tried to access this (the Redis service on the standard TCP port) and could do so when logged in but not from an outside connection. Do you know if there is an attack vector where this exploit can be reached from a station connected to the switch via the network directly and not just from a logged in session?

0 Kudos
Popular Articles
GTM-P2G8KFN