CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
12.7%
Revision | Date | Changes |
---|---|---|
1.0 | August 23, 2023 | Initial release |
The CVE-ID tracking this issue: CVE-2023-24548
CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Common Weakness Enumeration: CWE-120 Buffer Copy without Checking Size of Input
This vulnerability is being tracked by BUG 828687
On affected platforms running Arista EOS with VXLAN configured, malformed or truncated packets received over a VXLAN tunnel and forwarded in hardware can cause egress ports to be unable to forward packets. The device will continue to be susceptible to the issue until remediation is in place.
The issue was discovered in an Arista customer environment but Arista is not aware of any malicious uses of this issue in customer networks.
The following products are affected by this vulnerability:
Arista EOS-based products:
The following product versions and platforms are not affected by this vulnerability:
Arista EOS-based products:
Arista Wireless Access Points
CloudVision CUE, virtual appliance or physical appliance
CloudVision CUE cloud service delivery
CloudVision eXchange, virtual or physical appliance
CloudVision Portal, virtual appliance or physical appliance
CloudVision as-a-Service
CloudVision AGNI
Arista 7130 Systems running MOS
Arista Converged Cloud Fabric and DANZ Monitoring Fabric (Formerly Big Switch Nodes for BCF and BMF)
Arista Network Detection and Response (NDR) Security Platform (Formerly Awake NDR)
Arista Edge Threat Management - Arista NG Firewall and Arista Micro Edge (Formerly Untangle)
In order to be vulnerable to CVE-2023-24548, the following three conditions must be met:
IP routing should be enabled:
Switch> show running-config section ip routing
ip routing
AND
VXLAN should be configured - a sample configuration is found below:
# Loopback interface configuration
switch> show running-config section loopback
interface Loopback0
ip address 10.0.0.1/32
# VXLAN VTEP configuration
switch> show running-config section vxlan
interface Vxlan1
vxlan source-interface Loopback0
vxlan udp-port 4789
vxlan flood vtep 10.0.0.2
AND
VXLAN extended VLAN or VNI must be routable - two examples are shown below:
# Overlay interface
switch> show running-config section vlan
vlan 100
interface Ethernet1/1
switchport access vlan 100
interface Vlan100
ip address 1.0.0.1/24
Interface Vxlan1
vxlan vlan 100 vni 100000
switch> show running-config section red
vrf instance red
ip routing vrf red
interface Vxlan1
vxlan vrf red vni 200000
Whether such a configuration exists can be checked as follows:
switch> show vxlan vni
VNI to VLAN Mapping for Vxlan1
VNI VLAN Source Interface 802.1Q Tag
------------ ---------- ------------ ----------------- ----------
100000 100 static Ethernet1/1 untagged
Vxlan1 100
VNI to dynamic VLAN Mapping for Vxlan1
VNI VLAN VRF Source
------------ ---------- --------- ------------
200000 1006 red evpn
switch> show vlan
VLAN Name Status Ports
----- -------------------------------- --------- -------------------------------
100 VLAN0100 active Cpu, Vx1
1006* VLAN1006 active Cpu, Vx1
switch> show ip interface brief
Address
Interface IP Address Status Protocol MTU Owner
----------------- --------------------- ------------ -------------- ----------- -------
Vlan100 1.0.0.1/24 up up 1500
Vlan1006 unassigned up up 10168
From the above outputs, it can be seen that IP routing is enabled, VXLAN is configured, and VNIs 100000 (mapped to VLAN 100) and 200000 (mapped to VRF red) are routable.
This vulnerability causes egress ports to stop passing traffic. An indication of this issue is that the interface counters for the impacted egress interfaces would no longer increment even if packets are forwarded to those ports.
switch > show interfaces counters | nz
Port OutOctets OutUcastPkts OutMcastPkts OutBcastPkts
Et8/1 139851 0 1137 0
We will also see the DeqDeletePktCnt go up in show hardware counter drop.
switch > show hardware counter drop | nz
Summary:
Total Adverse (A) Drops: 2033
Total Packet Processor (P) Drops: 0
Type Chip CounterName : Count : First Occurrence : Last Occurrence
--------------------------------------------------------------------------------------------------------------
A Fap0 DeqDeletePktCnt : 2033 : 2023-04-05 10:09:17 : 2023-04-05 10:10:51
In addition, protocols that establish neighbor relationships over the affecting port are likely to be affected.
There is no known mitigation for the issue. The recommended resolution is to upgrade to a remediated software version at your earliest convenience.
The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades
CVE-2023-24548 has been fixed in the following releases:
No remediation is planned for EOS software versions that are beyond their standard EOS support lifecycle (i.e. 4.22, 4.23).
No hotfix is available for this vulnerability.
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502 ; 866-476-0000
Contact information needed to open a new service request may be found at: https://www.arista.com/en/support/customer-support