Full Report
A authenticated attacker with low privileges can use unsecure sudo configuration to expand attack surface.
Analysis Summary
# Vulnerability: Eltex ESR-200 Unsecure sudo Configuration
## CVE Details
- **CVE ID:** CVE-2018-15359
- **CVSS Score:** 7.5 (High) - *Note: While the article text mentions 0.0, the provided CVSS vector (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) and NVD standards calculate to a High severity rating.*
- **CWE:** CWE-269 (Improper Privilege Management) / CWE-284 (Improper Access Control)
## Affected Systems
- **Products:** Eltex ESR-200 Router
- **Versions:** Firmware version 1.2.0
- **Configurations:** Systems where authenticated users are granted low-privilege access but have access to an insecurely configured `sudo` environment.
## Vulnerability Description
The Eltex ESR-200 router contains an insecure `sudo` configuration. This flaw allows an authenticated user with low-level privileges (e.g., a restricted shell or limited account) to execute commands with elevated root-level privileges. By leveraging the misconfigured sudo rules, the attacker can bypass intended security restrictions and expand the attack surface of the device significantly.
## Exploitation
- **Status:** Unknown (No publicly documented PoC in the article, but the vulnerability is confirmed by the vendor).
- **Complexity:** Low (Exploitation relies on standard command-line interactions).
- **Attack Vector:** Network (Remote authenticated access).
## Impact
- **Confidentiality:** High (Full access to system files and sensitive data).
- **Integrity:** High (Ability to modify system configurations and firmware).
- **Availability:** High (Potential to disable the device or disrupt routing services).
## Remediation
### Patches
- **Firmware Update:** Upgrade affected ESR-200 devices to firmware **version 1.3.0** or later.
### Workarounds
- **Access Control:** Restrict remote access (SSH/Telnet) to trusted administrative IP addresses only.
- **Account Audit:** Review and limit the creation of low-privileged accounts until the firmware can be updated.
## Detection
- **Indicators of Compromise:** Unusual administrative activity originating from low-privilege accounts; evidence of unauthorized modifications to system configuration files.
- **Detection Methods and Tools:** Monitor system logs for `sudo` execution events and audit the `/etc/sudoers` file or equivalent configuration on the device for overly permissive rules (e.g., `ALL=(ALL) NOPASSWD: ALL`).
## References
- **Vendor Advisory (Kaspersky):** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2018/08/17/klcert-18-015-eltex-esp-200-router-unsecure-sudo-configuration/
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2018-15359
- **Eltex Official Site:** hxxp[://]eltex-co[.]ru/en/