This release note documents the security fix for:
- clcmd_server (CVE-2015-5699)
If a switch's
/etc/sudoers configuration is modified to allow a non-root user account to run
cl-ra as root, that user can exploit shell meta-characters to run any other arbitrary commands as root.
If non-root users are not explicitly configured to have sudo access to those commands, the configuration is not vulnerable.
/etc/sudoers in Cumulus Linux and Cumulus RMP does not expose the vulnerability. If
/etc/sudoers is modified as described above, this vulnerability affects all Cumulus Linux and Cumulus RMP releases from version 2.5.3 and earlier.
To apply the security patch, run:
- Update your Cumulus Linux or Cumulus RMP distribution. Run:
cumulus@switch:~$ sudo apt-get update
- Upgrade the distribution to apply the patch. Run:
cumulus@switch:~$ sudo apt-get install python-clcmd
- Restart the
cumulus@switch:~$ sudo service clcmd_server restart
- Verify the package was updated:
cumulus@switch:~$ dpkg -l | grep python-clcmd
ii python-clcmd 0.01-cl2.5+3 all Cumulus linux command line
For details on the Cumulus Networks policy regarding security vulnerabilities, see this article.
Cumulus Networks would like to thank Gregory Pickett of Hellfire Security for reporting this vulnerability.