CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
42.7%
Revision | Date | Changes |
---|---|---|
1.0 | April 11, 2023 | Initial release |
The CVE-ID tracking this issue: CVE-2023-24511
CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Common Weakness Enumeration: CWE-401 Missing Release of Memory after Effective Lifetime
This vulnerability is being tracked by BUG 751040
On affected platforms running Arista EOS with SNMP configured and the snmpd process is running, a specially crafted SNMP packet can cause a memory leak in the snmpd process. This may result in the snmpd processing being terminated (causing SNMP requests to time out until snmpd is automatically restarted) and potential memory resource exhaustion for other processes on the switch. The vulnerability does not have any confidentiality or integrity impacts to the system.
The vulnerability was reported externally by an Arista customer. Arista is not aware of any malicious uses of this issue in customer networks.
This is a platform-independent vulnerability and affects all systems running EOS with the versions identified above. The following products are affected by this vulnerability:
Arista EOS-based products:
The following product versions and platforms are not affected by this vulnerability:
In order to be vulnerable to CVE-2023-24511, the following condition must be met:
SNMP must be configured:
switch>show snmp
Chassis: XXXXXXXXXXX
0 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Set-request PDUs
0 SNMP packets output
0 Too big errors
0 No such name errors
0 Bad value errors
0 General errors
0 Response PDUs
0 Trap PDUs
Access Control
0 Users
0 Groups
0 Views
SNMP logging: disabled
SNMP agent enabled in VRFs: default
Transmit message maximum size: 65536
If SNMP is not configured there is no exposure to this issue and the message will look something like:
switch>show snmp
Chassis: XXXXXXXXXXX
SNMP agent enabled in VRFs: default
Transmit message maximum size: 65536
SNMP agent disabled: Either no communities and no users are configured, or no VRFs are configured.
This vulnerability may lead to low memory on the switch.
The snmpd process being terminated may be an indication of the issue. The following message may appear in “show logging”:
Jan 1 00:00:41 switch SuperServer: %SYS-4-RESTART_SERVICE: Service snmpd is not running. Attempting to restart it.
If the first message is seen, the following confirms this was the result of running out of memory. The following kernel message may also appear under “/var/log/eos” (this requires bash access) which indicates acts as the second indicator:
Jan 1 00:00:14 switch kernel: [12034.891991] Out of memory: Killed process 5374 (snmpd) total-vm:1711408kB, anon-rss:1698956kB, file-rss:4084kB, shmem-rss:0kB, UID:0 pgtables:3376kB oom_score_adj: -300 memory-usage:42.4% oom_score:124
These messages can be found with the following grep commands, when run from the bash shell:
grep "Out of memory: Killed process [0-9]* (snmpd)" /var/log/eos
grep "Service snmpd is not running. Attempting to restart it." /var/log/eos
If you suspect you are encountering this issue due to malicious activity, the workaround is to enable SNMP service ACLs to only allow specific IP addresses to query SNMP (combined with anti-spoofing ACLs in the rest of the network).
snmp-server ipv4 access-list allowHosts4
snmp-server ipv6 access-list allowHosts6
!
ipv6 access-list allowHosts6
10 permit ipv6 host <ipv6 address> any
!
ip access-list allowHosts4
10 permit ip host <ipv4 address> any
For more information about SNMP service ACLs see EOS User Manual: SNMP IP Address ACL Support.
The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades
CVE-2023-24511 has been fixed in the following releases:
The following hotfix can be applied to remediate CVE-2023-24511. The hotfix only applies to the releases listed below and no other releases. All other versions require upgrading to a release containing the fix (as listed above).:
Note: Installing/uninstalling the SWIX will cause the snmpd process to restart
URL: SecurityAdvisory84_CVE-2023-24511_Hotfix.swix **SWIX hash:**SecurityAdvisory84_CVE-2023-24511_Hotfix.swix
(SHA-512)da2bc1fd2c7fc718e3c72c7ce83dc1caa05150cbe2f081c8cc3ed40ce787f7e24dff5202e621ef5f2af89f72afd25f7476d02f722ffe8e8c7d24c101cbbfe0e5
For instructions on installation and verification of the hotfix patch, refer to the “managing eos extensions” section in the EOS User Manual. Ensure that the patch is made persistent across reboots by running the command ‘copy installed-extensions boot-extensions’.
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502 ; 866-476-0000
Contact information needed to open a new service request may be found at: https://www.arista.com/en/support/customer-support