Cohesity TranZman Migration Appliance CLISH Command Injection Vulnerability

An authenticated command injection vulnerability has been identified in the CLISH restricted shell of Cohesity TranZman Migration Appliance Release 4.0 Build 14614. This vulnerability allows the authenticated 'admin' user to escape the restricted environment and gain unrestricted shell access. The issue arises because the 'personality' and 'load_media' commands do not properly sanitize input, enabling shell metacharacters to be injected and executed. The escaped shell runs with administrative privileges, potentially leading to further exploitation.

Impact

Exploitation of this vulnerability allows authenticated administrators to escape the restricted shell and gain unrestricted access, with the ability to execute arbitrary commands as the 'admin' user. This access is in an unconfined SELinux context, which could be leveraged for privilege escalation to root, especially in conjunction with another identified vulnerability in the same product.

Reproduction

To reproduce this vulnerability, log into the TranZman appliance via SSH as the 'admin' user. Once in the CLISH shell, use the 'config' command to access the 'personality' command injection vulnerability by injecting a command that escapes the shell, such as 'red;id'. This demonstrates the ability to execute arbitrary commands. Alternatively, the 'load_media' command can be used in a similar manner by injecting a command payload that escapes the restricted environment.

Remediation

Cohesity has released patches for this vulnerability. Users should apply the 'TZM_patch_1.patch' followed by the 'TZM_1760106063_OCT2025R2_FULL.depot' update. For the latest OVA version with integrated fixes, contact Cohesity support.