Headline
CVE-2023-24548: Security Advisory 0089 - Arista
On affected platforms running Arista EOS with VXLAN configured, malformed or truncated packets received over a VXLAN tunnel and forwarded in hardware can cause egress ports to be unable to forward packets. The device will continue to be susceptible to the issue until remediation is in place.
Date: August 23, 2023
Revision
Date
Changes
1.0
August 23, 2023
Initial release
The CVE-ID tracking this issue: CVE-2023-24548
CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Common Weakness Enumeration: CWE-120 Buffer Copy without Checking Size of Input
This vulnerability is being tracked by BUG 828687
Description
On affected platforms running Arista EOS with VXLAN configured, malformed or truncated packets received over a VXLAN tunnel and forwarded in hardware can cause egress ports to be unable to forward packets. The device will continue to be susceptible to the issue until remediation is in place.
The issue was discovered in an Arista customer environment but Arista is not aware of any malicious uses of this issue in customer networks.
Vulnerability Assessment****Affected Software****EOS Versions
- 4.25.0F in the 4.25.x train
- 4.24.11M and below releases in the 4.24.x train
- 4.23.14M and below releases in the 4.23.x train
- 4.22.13M and below releases till 4.22.1F in the 4.22.x train
Affected Platforms
The following products are affected by this vulnerability:
- Arista EOS-based products:
- 7280R3 Series
- 7500R3 Series
- 7800R3 Series
The following product versions and platforms are not affected by this vulnerability:
- Arista EOS-based products:
- 720D Series
- 720XP/722XPM Series
- 750X Series
- 7010 Series
- 7010X Series
- 7020R Series
- 7130 Series running EOS
- 7150 Series
- 7160 Series
- 7170 Series
- 7050X/X2/X3/X4 Series
- 7060X/X2/X4/X5 Series
- 7250X Series
- 7260X/X3 Series
- 7300X/X3 Series
- 7320X Series
- 7358X4 Series
- 7368X4 Series
- 7388X5 Series
- CloudEOS
- cEOS-lab
- vEOS-lab
- AWE 5000 Series
- Arista Wireless Access Points
- CloudVision CUE, virtual appliance or physical appliance
- CloudVision CUE cloud service delivery
- CloudVision eXchange, virtual or physical appliance
- CloudVision Portal, virtual appliance or physical appliance
- CloudVision as-a-Service
- CloudVision AGNI
- Arista 7130 Systems running MOS
- Arista Converged Cloud Fabric and DANZ Monitoring Fabric (Formerly Big Switch Nodes for BCF and BMF)
- Arista Network Detection and Response (NDR) Security Platform (Formerly Awake NDR)
- Arista Edge Threat Management - Arista NG Firewall and Arista Micro Edge (Formerly Untangle)
Required Configuration for Exploitation
In order to be vulnerable to CVE-2023-24548, the following three conditions must be met:
IP routing should be enabled:
Switch> show running-config section ip routing ip routing
AND
VXLAN should be configured - a sample configuration is found below:
# Loopback interface configuration switch> show running-config section loopback interface Loopback0 ip address 10.0.0.1/32
VXLAN VTEP configuration
switch> show running-config section vxlan interface Vxlan1 vxlan source-interface Loopback0 vxlan udp-port 4789 vxlan flood vtep 10.0.0.2
AND
VXLAN extended VLAN or VNI must be routable - two examples are shown below:
# Overlay interface switch> show running-config section vlan vlan 100 interface Ethernet1/1 switchport access vlan 100 interface Vlan100 ip address 1.0.0.1/24
Interface Vxlan1 vxlan vlan 100 vni 100000
switch> show running-config section red vrf instance red ip routing vrf red
interface Vxlan1 vxlan vrf red vni 200000
Whether such a configuration exists can be checked as follows:
switch> show vxlan vni VNI to VLAN Mapping for Vxlan1 VNI VLAN Source Interface 802.1Q Tag
100000 100 static Ethernet1/1 untagged Vxlan1 100
VNI to dynamic VLAN Mapping for Vxlan1 VNI VLAN VRF Source
200000 1006 red evpn
switch> show vlan VLAN Name Status Ports
100 VLAN0100 active Cpu, Vx1 1006* VLAN1006 active Cpu, Vx1
switch> show ip interface brief Address Interface IP Address Status Protocol MTU Owner
Vlan100 1.0.0.1/24 up up 1500 Vlan1006 unassigned up up 10168
From the above outputs, it can be seen that IP routing is enabled, VXLAN is configured, and VNIs 100000 (mapped to VLAN 100) and 200000 (mapped to VRF red) are routable.
Indicators of Compromise
This vulnerability causes egress ports to stop passing traffic. An indication of this issue is that the interface counters for the impacted egress interfaces would no longer increment even if packets are forwarded to those ports.
switch > show interfaces counters | nz Port OutOctets OutUcastPkts OutMcastPkts OutBcastPkts Et8/1 139851 0 1137 0
We will also see the DeqDeletePktCnt go up in show hardware counter drop.
switch > show hardware counter drop | nz Summary: Total Adverse (A) Drops: 2033 Total Packet Processor § Drops: 0 Type Chip CounterName : Count : First Occurrence : Last Occurrence
A Fap0 DeqDeletePktCnt : 2033 : 2023-04-05 10:09:17 : 2023-04-05 10:10:51
In addition, protocols that establish neighbor relationships over the affecting port are likely to be affected.
Mitigation
There is no known mitigation for the issue. The recommended resolution is to upgrade to a remediated software version at your earliest convenience.
Resolution
The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades
CVE-2023-24548 has been fixed in the following releases:
- 4.30.0F and later releases in the 4.30.x train
- 4.29.0F and later releases in the 4.29.x train
- 4.28.0F and later releases in the 4.28.x train
- 4.27.0F and later releases in the 4.27.x train
- 4.26.0F and later releases in the 4.26.x train
- 4.25.1F and later releases in the 4.25.x train
No remediation is planned for EOS software versions that are beyond their standard EOS support lifecycle (i.e. 4.22, 4.23).
Hotfix
No hotfix is available for this vulnerability.
For More Information
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
Open a Service Request
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502 ; 866-476-0000
Contact information needed to open a new service request may be found at: https://www.arista.com/en/support/customer-support