CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
9.0%
Revision | Date | Changes |
---|---|---|
1.0 | February 20, 2024 | Initial release |
The CVE-ID tracking this issue: CVE-2023-6068
CVSSv3.1 Base Score: 3.1 (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)
Common Weakness Enumeration: CWE-283 Improper Access Control
This vulnerability is being tracked by BUG 869667
On affected 7130 Series FPGA platforms running MOS and recent versions of the MultiAccess FPGA, application of ACL’s may result in incorrect operation of the configured ACL for a port resulting in some packets that should be denied being permitted and some packets that should be permitted being denied.
This issue was discovered internally and Arista is not aware of any malicious uses of this issue in customer networks.
The following products are affected by this vulnerability:
Arista MOS-based products:
The following product versions and platforms are not affected by this vulnerability:
Arista EOS-based products:
Arista Wireless Access Points
CloudVision WiFi, virtual appliance or physical appliance
CloudVision WiFi cloud service delivery
CloudVision eXchange, virtual or physical appliance
CloudVision Portal, virtual appliance or physical appliance
CloudVision as-a-Service
CloudVision AGNI
Arista Converged Cloud Fabric and DANZ Monitoring Fabric (Formerly Big Switch Nodes for BCF and BMF)
Arista Network Detection and Response (NDR) Security Platform (Formerly Awake NDR)
Arista Edge Threat Management - Arista NG Firewall and Arista Micro Edge (Formerly Untangle)
In order to be vulnerable to CVE-2023-6068, the following condition must be met:
MOS must be configured with MultiAccess FPGA software versions 1.7.1 or 1.6.x and can be determined by running the show version command and referring to the highlighted section as shown below.
switch(config)#show version
Device: Metamako MetaMux 48 with L-Series
SKU: DCS-7130-48LB
Serial number: M48LB-A3-27719-4
Software image version: 0.39.0alpha4
Internal build ID: master+9345
Applications: multiaccess-1.7.1
As shown above this switch is running a vulnerable version of the MultiAccess program, v1.7.1.
This vulnerability may lead to forwarding of packets that should be blocked by an ACL on a port.
Once triggered, the ACL filter on a port applies ACL decisions from the previous packet to the current packet and remains stuck in this state until the FPGA is reloaded. This is not detectable at the command line and is not visible in any counter state recorded by the device.
The workaround is to only apply one access-list to any particular port after the MultiAccess image is loaded into the FPGA. If a new access-list is to be applied to a port, the FPGA image should be reloaded after the access-list is applied.
Run the following commands to reload the FPGA image, where the line in yellow represents new access control lists to be added:
switch(config-app-multiaccess)#shut
switch(config-app-multiaccess)#multiaccess-group 0 client 0 access-list new_acl_if_need
switch(config-app-multiaccess)#no shut
The previous applied access control lists will automatically apply after FPGA reload.
The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.
CVE-2023-6068 has been fixed in the following releases:
There is no available hotfix
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502 ; 866-476-0000
Contact information needed to open a new service request may be found at: https://www.arista.com/en/support/customer-support