Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-24548: Security Advisory 0089 - Arista

On affected platforms running Arista EOS with VXLAN configured, malformed or truncated packets received over a VXLAN tunnel and forwarded in hardware can cause egress ports to be unable to forward packets. The device will continue to be susceptible to the issue until remediation is in place.

CVE
#vulnerability#java

Date: August 23, 2023

Revision

Date

Changes

1.0

August 23, 2023

Initial release

The CVE-ID tracking this issue: CVE-2023-24548
CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Common Weakness Enumeration: CWE-120 Buffer Copy without Checking Size of Input
This vulnerability is being tracked by BUG 828687

Description

On affected platforms running Arista EOS with VXLAN configured, malformed or truncated packets received over a VXLAN tunnel and forwarded in hardware can cause egress ports to be unable to forward packets. The device will continue to be susceptible to the issue until remediation is in place.

The issue was discovered in an Arista customer environment but Arista is not aware of any malicious uses of this issue in customer networks.

Vulnerability Assessment****Affected Software****EOS Versions

  • 4.25.0F in the 4.25.x train
  • 4.24.11M and below releases in the 4.24.x train
  • 4.23.14M and below releases in the 4.23.x train
  • 4.22.13M and below releases till 4.22.1F in the 4.22.x train

Affected Platforms

The following products are affected by this vulnerability:

  • Arista EOS-based products:
    • 7280R3 Series
    • 7500R3 Series
    • 7800R3 Series

The following product versions and platforms are not affected by this vulnerability:

  • Arista EOS-based products:
    • 720D Series
    • 720XP/722XPM Series
    • 750X Series
    • 7010 Series
    • 7010X Series
    • 7020R Series
    • 7130 Series running EOS
    • 7150 Series
    • 7160 Series
    • 7170 Series
    • 7050X/X2/X3/X4 Series
    • 7060X/X2/X4/X5 Series
    • 7250X Series
    • 7260X/X3 Series
    • 7300X/X3 Series
    • 7320X Series
    • 7358X4 Series
    • 7368X4 Series
    • 7388X5 Series
    • CloudEOS
    • cEOS-lab
    • vEOS-lab
    • AWE 5000 Series
  • Arista Wireless Access Points
  • CloudVision CUE, virtual appliance or physical appliance
  • CloudVision CUE cloud service delivery
  • CloudVision eXchange, virtual or physical appliance
  • CloudVision Portal, virtual appliance or physical appliance
  • CloudVision as-a-Service
  • CloudVision AGNI
  • Arista 7130 Systems running MOS
  • Arista Converged Cloud Fabric and DANZ Monitoring Fabric (Formerly Big Switch Nodes for BCF and BMF)
  • Arista Network Detection and Response (NDR) Security Platform (Formerly Awake NDR)
  • Arista Edge Threat Management - Arista NG Firewall and Arista Micro Edge (Formerly Untangle)

Required Configuration for Exploitation

In order to be vulnerable to CVE-2023-24548, the following three conditions must be met:

IP routing should be enabled:

Switch> show running-config section ip routing ip routing

AND

VXLAN should be configured - a sample configuration is found below:

# Loopback interface configuration switch> show running-config section loopback interface Loopback0 ip address 10.0.0.1/32

VXLAN VTEP configuration

switch> show running-config section vxlan interface Vxlan1 vxlan source-interface Loopback0 vxlan udp-port 4789 vxlan flood vtep 10.0.0.2

AND

VXLAN extended VLAN or VNI must be routable - two examples are shown below:

# Overlay interface switch> show running-config section vlan vlan 100 interface Ethernet1/1 switchport access vlan 100 interface Vlan100 ip address 1.0.0.1/24

Interface Vxlan1 vxlan vlan 100 vni 100000

switch> show running-config section red vrf instance red ip routing vrf red

interface Vxlan1 vxlan vrf red vni 200000

Whether such a configuration exists can be checked as follows:

switch> show vxlan vni VNI to VLAN Mapping for Vxlan1 VNI VLAN Source Interface 802.1Q Tag


100000 100 static Ethernet1/1 untagged Vxlan1 100

VNI to dynamic VLAN Mapping for Vxlan1 VNI VLAN VRF Source


200000 1006 red evpn

switch> show vlan VLAN Name Status Ports


100 VLAN0100 active Cpu, Vx1 1006* VLAN1006 active Cpu, Vx1

switch> show ip interface brief Address Interface IP Address Status Protocol MTU Owner


Vlan100 1.0.0.1/24 up up 1500 Vlan1006 unassigned up up 10168

From the above outputs, it can be seen that IP routing is enabled, VXLAN is configured, and VNIs 100000 (mapped to VLAN 100) and 200000 (mapped to VRF red) are routable.

Indicators of Compromise

This vulnerability causes egress ports to stop passing traffic. An indication of this issue is that the interface counters for the impacted egress interfaces would no longer increment even if packets are forwarded to those ports.

switch > show interfaces counters | nz Port OutOctets OutUcastPkts OutMcastPkts OutBcastPkts Et8/1 139851 0 1137 0

We will also see the DeqDeletePktCnt go up in show hardware counter drop.

switch > show hardware counter drop | nz Summary: Total Adverse (A) Drops: 2033 Total Packet Processor § Drops: 0 Type Chip CounterName : Count : First Occurrence : Last Occurrence


A Fap0 DeqDeletePktCnt : 2033 : 2023-04-05 10:09:17 : 2023-04-05 10:10:51

In addition, protocols that establish neighbor relationships over the affecting port are likely to be affected.

Mitigation

There is no known mitigation for the issue. The recommended resolution is to upgrade to a remediated software version at your earliest convenience.

Resolution

The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades

CVE-2023-24548 has been fixed in the following releases:

  • 4.30.0F and later releases in the 4.30.x train
  • 4.29.0F and later releases in the 4.29.x train
  • 4.28.0F and later releases in the 4.28.x train
  • 4.27.0F and later releases in the 4.27.x train
  • 4.26.0F and later releases in the 4.26.x train
  • 4.25.1F and later releases in the 4.25.x train

No remediation is planned for EOS software versions that are beyond their standard EOS support lifecycle (i.e. 4.22, 4.23).

Hotfix

No hotfix is available for this vulnerability.

For More Information

If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:

Open a Service Request

By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502 ; 866-476-0000
Contact information needed to open a new service request may be found at: https://www.arista.com/en/support/customer-support

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907