CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
65.0%
Revision | Date | Changes |
---|---|---|
1.0 | October 7th, 2020 | Initial Release |
The CVE-ID tracking this issue is: CVE-2020-13100
CVSSv3 Base Score: 7.5/10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
This advisory documents the impact of a vulnerability in Arista’s CloudVision eXchange (CVX) server which impacts the ControllerOob agent.
The effect of the vulnerability is that if the CVX server receives a malformed control-plane packet, the ControllerOob agent could experience a crash and subsequently restart. In such an event, all existing connections between the impacted CVX server and the managed Arista devices could flap.
Impact to production traffic is not expected as a result of such a crash. This vulnerability, if successfully exploited, would impact the control plane by limiting the CVX server’s ability to manage the network or ensure that the Arista devices are updated with the latest network information. In a High Availability (HA) setup, where multiple CVX servers are running in a cluster, this vulnerability could trigger a failover of the Master Node.
Arista has not received any report of this issue being exploited in any malicious manner.
To confirm if this vulnerability has been hit, the following checks can be performed by logging into the CVX server.
Example:
CVX_Node1#show logging all | grep ControllerOobAgent
ProcMgr-worker: %PROCMGR-6-PROCESS_TERMINATED: 'ControllerOobAgent' (PID=26962) has terminated.
ProcMgr-worker: %PROCMGR-6-PROCESS_RESTART: Restarting 'ControllerOobAgent' immediately (it had PID=26962)
ProcMgr-worker: %PROCMGR-6-PROCESS_STARTED: 'ControllerOobAgent' starting with PID=9195 (PPID=1736)
In HA setups, a failover of the Master Node (i.e. a change in the Master Node) can be observed if this vulnerability is hit. This can be verified by running show cvx on the CVX server:
CVX_Node1#show cvx
CVX Server
Status: Enabled
UUID: 522fc80a-d68f-11e9-82a4-a705a858a9f6
Mode: Cluster
Heartbeat interval: 20.0
Heartbeat timeout: 60.0
Cluster Status
Name: HW-VTEP-NSX
Role: Master
Peer timeout: 10.0
Last leader switchover timestamp: 5:02 ago
Subsequently, we should expect to observe an agent crash log with the following output recorded by the ControllerOob agent after running** show agent logs crash** on the CVX server:
CVX_Node1#show agent logs crash
===> /var/log/agents/ControllerOob-23174 Tue July 23 19:17:15 2020 <===
===== Output from /usr/bin/ControllerOob [‘–scheduled’] (PID=23174) started July 12 20:40:47.020253 ===
rSetup: ControllerMessageEngine.tin:960: void Controller::ControllerMessageSocketSm::handleReadableCount(): Assertion `cs->pbMessage()->has_messagetype()’ failed.
Notes:
Affected Software
Affected Platforms
To limit the ability of untrusted devices to affect the CVX server, Control-Plane Access-Control Lists (CP ACLs) can be used to limit connections to known CVX clients only. CVX uses TCP ports 50003 and 50004 for communication on the CVX server.
For the final resolution, please refer to the next section which lists the details of the hotfix and remediated software versions.
This vulnerability is being tracked by Bug 483850. To safeguard against this vulnerability, the recommended course of action is to install the provided hotfix or to perform an upgrade to a remediated EOS version.
The vulnerability has been fixed in the following EOS versions:
The hotfix has been implemented as an extension, which can be downloaded from the following link:
https://www.arista.com/assets/data/SecurityAdvisories/SA52/SecurityAdvisory0052Hotfix.swix
Sha512sum: cd0333153a3d8e78df75975de056dd896d4dab89013fa21755742a28af677ef1c7280f829ca3a4c06b6788cd4f60e21dca982d9a89062cc0bf986fe2709a1ab7 SecurityAdvisory0052Hotfix.swix
For instructions on the installation and verification of extensions, please refer to the following section in the EOS User Manual:
https://www.arista.com/en/um-eos/eos-section-6-7-managing-eos-extensions
The extension will need to be made persistent across reboots by copying the installed-extensions to boot-extensions.
Note:
After the installation of the hotfix, it is expected for the CVX agents (ex. ControllerOoB) to restart. Impact to production traffic is not expected as a result of these restarts. As a best practice, it is recommended to install the hotfix during a maintenance window or during non-production hours.
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502
866-476-0000
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
65.0%