7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
39.8%
Revision | Date | Changes |
---|---|---|
1.0 | April 11, 2023 | Initial release |
This advisory consists of two CVEs which affect the Arista CloudEOS product.
CVE-ID: CVE-2023-24545
CVSSv3.1 Base Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Common Weakness Enumeration: CWE-400- Uncontrolled Resource Consumption
This vulnerability is being tracked by BUG 743423
CVE-ID: CVE-2023-24513
CVSSv3.1 Base Score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
Common Weakness Enumeration: CWE-126 - Buffer Over-read
This vulnerability is being tracked by BUG 764777
This advisory details the impact of two issues discovered on Arista CloudEOS;
CVE-2023-24545: On affected platforms running Arista CloudEOS an issue in the Software Forwarding Engine (Sfe) can lead to a potential denial of service attack by sending malformed packets to the switch. This causes a leak of packet buffers and if enough malformed packets are received, the switch may eventually stop forwarding traffic.
CVE-2023-24513: On affected platforms running Arista CloudEOS a size check bypass issue in the Software Forwarding Engine (Sfe) may allow buffer over reads in later code. Additionally, depending on configured options this may cause a recomputation of the TCP checksum which could be leveraged in DDoS attacks.
These issues were discovered internally and Arista is not aware of any malicious uses of these issues in customer networks.
The following products are affected by CVE-2023-24545 and CVE-2023-24513:
All CloudEOS software forwarding instances, including:
The following product versions and platforms are not affected by this vulnerability:
Arista EOS-based Hardware products:
cEOS-lab
vEOS-lab
Arista Wireless Access Points
CloudVision WiFi, virtual appliance or physical appliance
CloudVision WiFi cloud service delivery
CloudVision eXchange, virtual or physical appliance
CloudVision Portal, virtual appliance or physical appliance
CloudVision as-a-Service
Arista 7130 Systems running MOS
Arista Converged Cloud Fabric and DANZ Monitoring Fabric (Formerly Big Switch Nodes for BCF and BMF)
Arista Network Detection and Response (NDR) Security Platform (Formerly Awake NDR)
Arista Edge Threat Management - Formerly Untangle (Formerly Arista NG Firewall and Arista Micro Edge)
Arista Unified Cloud Fabrics - (Formerly Pluribus Netvisor One)
In order to be vulnerable to CVE-2023-24545 and CVE-2023-24513, the switch must be configured to run the Software Forwarding Engine (Sfe). Sfe is the default configuration on CloudEOS platforms.
switch(config#show agent Sfe uptime
Agent Name Restarts Uptime
---------------- -------------- -------
Sfe 1 0:29:49
The following two indicators in combination might indicate system compromise for CVE-2023-24545:
#1 - The Sfe agent log will print warning messages once the number of packet buffers is reaching low levels (< 25% Buffers free). The command show agent Sfe logs will include lines such as below:
I0719 13:58:07.860103 2994 Management.cpp:681] Possible Packet Leak: <25% Buffers free(1273/131072)
#2 - Additionally, the command show platform sfe counters | nz | grep -i frag can be used to see if the platform is receiving fragmented packets. In particular, look for large values in the counter:
ForUsClassifyIpv4-frag_recv_pkts ForUsClassifyIpv4 module packets 353771
No indications of compromise exists.
There is no mitigation / workaround for these issues.
The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.
CVE-2023-24545 has been fixed in the following releases:
CVE-2023-24513 has been fixed in the following releases:
The following hotfixes can be applied to remediate both CVE-2023-24545 and CVE-2023-24513. Due to the size of the hotfixes, there are multiple files. Each hotfix applies to a specific set of release trains:
Note: Installing/uninstalling the SWIX will cause Sfe agent to restart and stop forwarding traffic for up to 10 seconds.
**URL:**SecurityAdvisory85_4.29_Hotfix.swix SWIX Hash:
SHA512
(SHA-512)c965e149cbbaa8698648af9290c5a728e9fe635186eee7629b789502ef37db4a94beea5ecd20e1dc8a19c2cc8988052b625cfccf764c28b8b0e9e4eef8e79bb4
**URL:**SecurityAdvisory85_4.28_Hotfix.swix SWIX Hash:
(SHA-512)522d51c6548111d9819ef8b1523b8798ac6847012955e3f885c6f466c81468960fbd4497b45289c8f77297263111340fbdbd7003a30b64e3ef9a270ace62c079
**URL:**SecurityAdvisory85_4.27_Hotfix.swix SWIX Hash:
(SHA-512)5ce5479c11abf185f50d484204555b2dfb9b1c93e8f475d027082ca0951cbfca0f331960a1dd111b8c079264b1dab31b0a62c8daf011afb27b1283c2382747a2
**URL:**SecurityAdvisory85_4.26_Hotfix.swix SWIX Hash:
(SHA-512)9386f12a24f35679bdeb08d506bf0bddb9703d1ef3043de2c06d09ff47f2dd0d1bd7aca0748febb5b04fbdeaed7c4ae2922086fb638c754c3a9a5384306396d2
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502 ; 866-476-0000
Contact information needed to open a new service request may be found at: https://www.arista.com/en/support/customer-support