CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
AI Score
Confidence
High
EPSS
Percentile
47.6%
Revision | Date | Changes |
---|---|---|
1.0 | April 3, 2024 | Initial release |
1.1 | April 5, 2024 | Update required configuration for exploitation and mitigation |
Arista Networks is providing this security update in response to the following publicly disclosed security vulnerabilities related to HTTP/2 CONTINUATION frames. This set of vulnerabilities is the result of some HTTP/2 implementations that do not properly limit or sanitize the amount of CONTINUATION frames sent in a single stream. An attacker that can send packets to a target server can send a stream of CONTINUATION frames, which can result in an out-of-memory crash, enabling an attacker to launch a denial of service (DoS) attack against a target service using a vulnerable implementation.
The following CVEs are tracked as part of this announcement:
EOS running the affected releases are vulnerable to CVE-2023-45288 if any of the following features (The “EOS affected features list”) are enabled. Please see required configuration for exploitation to see what configuration needs to be in place to be vulnerable:
Wifi Products must be using Openconfig based AP management to be vulnerable to CVE-2023-45288.
Note: the affected products do use golang grpc-go library with version vulnerable to CVE-2023-45288. But based on Arista’s analysis of the use of these modules, we believe the impact is restricted due to the fact that EOS-based products and WI-FI AP are usually running on customer’s management networks and are not reachable from the public Internet.
A current list of affected products is included below and Arista and will update this advisory with information pending ongoing assessment.
Please consult the section on Required Configuration for Exploitation if products are found which are affected. Specific configuration is necessary for this vulnerability to impact the product.
Streaming Telemetry Agent (TerminAttr) versions:
EOS release version:
WI-FI Access Points versions:
Awake Security versions
Please consult the section on Required Configuration for Exploitation if products are found which are affected. Specific configuration is necessary for this vulnerability to impact the product.
Arista EOS-based products:
Arista Wireless Access Points
Arista Network Detection and Response (NDR) Security Platform (Formerly Awake NDR)
Arista Network Detection and Response (NDR) Security Platform (Formerly Awake NDR)
Arista EOS-based products not using the EOS affected feature list mentioned in the description section
CloudVision Portal, virtual appliance or physical appliance
CloudVision eXchange, virtual or physical appliance
CloudVision AGNI
Arista 7130 Systems running MOS
Arista Converged Cloud Fabric and DANZ Monitoring Fabric (Formerly Big Switch Nodes for BCF and BMF)
Arista Edge Threat Management - Arista NG Firewall and Arista Micro Edge (Formerly Untangle)
Arista Network Detection and Response (NDR) Security Platform (Formerly Awake NDR)
Arista NetVisor OS, Arista NetVisor UNUM, and Insight Analytics
Prerequisites for CVE-2023-45288 are that the EOS affected feature list mentioned in the description section are enabled on the device.
Streaming Telemetry Agent is enabled on the device and configured for gRPC/gNMI access (not common for CloudVision deployments):
daemon TerminAttr
exec /usr/bin/TerminAttr **-grpcaddr=**... <other options...>
no shutdown
Note: the TerminAttr flag “-grpcaddr” is not enabled by default and is used to serve data using the gNMI interface, which is not common for CloudVision deployments. The flag must be configured specifically to be vulnerable to CVE-2023-45288.
OpenConfig gNMI is enabled on the device:
management api gnmi
transport grpc <name>
gRIBI is enabled on the device:
management api gribi
transport grpc <name>
Octa is enabled on the device:
management api gnmi
provider eos-native
The prerequisite for CVE-2023-45288 is that the OpenConfig flag is enabled on Access Point. Please contact the TAC team to understand the support for OpenConfig on the devices.
NDR Ava Nucleus and NDR Ava Campus Nucleus can be exploited with the vulnerability by default.
Successful exploitation of this vulnerability can allow an attacker the capability to launch DoS attacks against servers or cause an out of memory (OOM) crash. Therefore the unusually slow network performance, unavailability of a particular website or a sudden loss of connectivity across devices on the same network can be used as indicators of the compromise for the vulnerabilities.
As a security best practice, it is recommended to not expose internal devices to public access to safeguard from potential attacks. There are 2 possible options to mitigate the vulnerability on the EOS products as listed below
Configure Access-Control List to restrict access
Configure a non-default Control-Plane ACL to restrict traffic from trusted sources on service ports :
permit tcp 10.10.10.0/24 any eq 6042
In this example, connections to port 6042 (Streaming Telemetry Agent’s default gRPC/gNMI port) will only be accepted if sourced from the 10.10.10.0/24 subnet.
The following are the default service ports for the affected features:
For OpenConfig, Octa and gRIBI, an alternative solution is to configure a service ACL to restrict incoming traffic.
First configure a service ACL to only allow HTTP/2 traffic from trusted sources.
ip access-list standard grpc-acl
10 permit host 10.1.1.1
20 permit host 11.1.1.1/24
In this example, HTTP/2 connections will only be accepted if sourced from 10.1.1.1 or 11.1.1.1/24 subset.
Then configure the service ACL to the affected feature agents.
For Openconfig:
management api gnmi
transport grpc default
ip access-group grpc-acl
For Octa:
management api gnmi
transport grpc default
ip access-group grpc-acl
provider eos-native
For gRIBI:
management api gribi
transport grpc default
ip access-group grpc-acl
Enforce mTLS for authentication
First create an SSL profile using the certificate. For more details on certificate generation and EOS-based product SSL profile management, please refer to the article Working with certificates.
management security
ssl profile mtls-grpc-profile
certificate target.crt key target.key
trust certificate ca.crt
For Streaming Telemetry Agent, specify the certificate and key file used by gNMI server
daemon TerminAttr
exec /usr/bin/TerminAttr
-certfile /persist/secure/ssl/certs/target.crt
-keyfile /persist/secure/ssl/keys/target.key
-clientcafile /persist/secure/ssl/certs/ca.crt
no shutdown
For Openconfig:
management api gnmi
transport grpc default
ssl profile mtls-grpc-profile
For Octa:
management api gnmi
transport grpc default
ssl profile mtls-grpc-profile
provider eos-native
For gRIBI:
management api gribi
transport grpc default
ssl profile mtls-grpc-profile
There is no mitigation available to temporarily resolve the issue when Openconfig is enabled
There is no mitigation available to temporarily resolve the issue
There are no fixes presently available for affected products.
There are no fixes presently available for affected products.
There are no fixes presently available for affected products.
Note: For products presently without available fixes, please review this document periodically for updates
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502 ; 866-476-0000
Contact information needed to open a new service request may be found at: https://www.arista.com/en/support/customer-support