Headline
CVE-2023-24511: Security Advisory 0084 - Arista
On affected platforms running Arista EOS with SNMP configured, a specially crafted packet can cause a memory leak in the snmpd process. This may result in the snmpd processing being terminated (causing SNMP requests to time out until snmpd is automatically restarted) and potential memory resource exhaustion for other processes on the switch. The vulnerability does not have any confidentiality or integrity impacts to the system.
Date: April 11, 2023
Revision
Date
Changes
1.0
April 11, 2023
Initial release
The CVE-ID tracking this issue: CVE-2023-24511
CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Common Weakness Enumeration: CWE-401 Missing Release of Memory after Effective Lifetime
This vulnerability is being tracked by BUG 751040
Description
On affected platforms running Arista EOS with SNMP configured, a specially crafted packet can cause a memory leak in the snmpd process. This may result in the snmpd processing being terminated (causing SNMP requests to time out until snmpd is automatically restarted) and potential memory resource exhaustion for other processes on the switch. The vulnerability does not have any confidentiality or integrity impacts to the system.
The vulnerability was reported externally by an Arista customer. Arista is not aware of any malicious uses of this issue in customer networks.
Vulnerability Assessment****Affected Software****EOS Versions
- 4.29.1F and below releases in the 4.29.x train
- 4.28.5.1M and below releases in the 4.28.x train
- 4.27.8.1M and below releases in the 4.27.x train
- 4.26.9M and below releases in the 4.26.x train
- 4.25.10M and below releases in the 4.25.x train
- 4.24.11M and below releases in the 4.24.x train
Affected Platforms
This is a platform-independent vulnerability and affects all systems running EOS with the versions identified above. The following products are affected by this vulnerability:
- Arista EOS-based products:
- 720D Series
- 720XP/722XPM Series
- 750X Series
- 7010 Series
- 7010X Series
- 7020R Series
- 7130 Series running EOS
- 7150 Series
- 7160 Series
- 7170 Series
- 7050X/X2/X3/X4 Series
- 7060X/X2/X4/X5 Series
- 7250X Series
- 7260X/X3 Series
- 7280E/R/R2/R3 Series
- 7300X/X3 Series
- 7320X Series
- 7358X4 Series
- 7368X4 Series
- 7388X5 Series
- 7500E/R/R2/R3 Series
- 7800R3 Series
- CloudEOS
- cEOS-lab
- vEOS-lab
The following product versions and platforms are not affected by this vulnerability:
- Arista Wireless Access Points
- CloudVision WiFi, virtual appliance or physical appliance
- CloudVision WiFi cloud service delivery
- CloudVision Portal, virtual appliance or physical appliance
- CloudVision as-a-Service
- Arista 7130 Systems running MOS
- Arista Converged Cloud Fabric and DANZ Monitoring Fabric (Formerly Big Switch Nodes for BCF and BMF)
- Arista Network Detection and Response (NDR) Security Platform (Formerly Awake NDR)
- Arista Edge Threat Management - Arista NG Firewall and Arista Micro Edge (Formerly Untangle)
- Arista Unified Cloud Fabrics - (Formerly Pluribus Netvisor One)
Required Configuration for Exploitation
In order to be vulnerable to CVE-2023-24511, the following condition must be met:
SNMP must be configured:
switch>show snmp Chassis: XXXXXXXXXXX 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables 0 Get-request PDUs 0 Get-next PDUs 0 Set-request PDUs 0 SNMP packets output 0 Too big errors 0 No such name errors 0 Bad value errors 0 General errors 0 Response PDUs 0 Trap PDUs Access Control 0 Users 0 Groups 0 Views SNMP logging: disabled SNMP agent enabled in VRFs: default Transmit message maximum size: 65536
If SNMP is not configured there is no exposure to this issue and the message will look something like:
switch>show snmp Chassis: XXXXXXXXXXX SNMP agent enabled in VRFs: default Transmit message maximum size: 65536 SNMP agent disabled: Either no communities and no users are configured, or no VRFs are configured.
Indicators of Compromise
This vulnerability may lead to low memory on the switch.
The snmpd process being terminated may be an indication of the issue. The following message may appear in “show logging”:
Jan 1 00:00:41 switch SuperServer: %SYS-4-RESTART_SERVICE: Service snmpd is not running. Attempting to restart it.
If the first message is seen, the following confirms this was the result of running out of memory. The following kernel message may also appear under “/var/log/eos” (this requires bash access) which indicates acts as the second indicator:
Jan 1 00:00:14 switch kernel: [12034.891991] Out of memory: Killed process 5374 (snmpd) total-vm:1711408kB, anon-rss:1698956kB, file-rss:4084kB, shmem-rss:0kB, UID:0 pgtables:3376kB oom_score_adj: -300 memory-usage:42.4% oom_score:124
These messages can be found with the following grep commands, when run from the bash shell:
grep "Out of memory: Killed process [0-9]* (snmpd)" /var/log/eos grep “Service snmpd is not running. Attempting to restart it.” /var/log/eos
Mitigation
If you suspect you are encountering this issue due to malicious activity, the workaround is to enable SNMP service ACLs to only allow specific IP addresses to query SNMP (combined with anti-spoofing ACLs in the rest of the network).
snmp-server ipv4 access-list allowHosts4 snmp-server ipv6 access-list allowHosts6 ! ipv6 access-list allowHosts6 10 permit ipv6 host <ipv6 address> any ! ip access-list allowHosts4 10 permit ip host <ipv4 address> any
For more information about SNMP service ACLs see EOS User Manual: SNMP IP Address ACL Support.
Resolution
The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades
CVE-2023-24511 has been fixed in the following releases:
- 4.29.2F and later releases in the 4.29.x train
- 4.28.6M and later releases in the 4.28.x train
- 4.27.9M and later releases in the 4.27.x train
- 4.26.10M and later releases in the 4.26.x train
Hotfix
The following hotfix can be applied to remediate CVE-2023-24511. The hotfix only applies to the releases listed below and no other releases. All other versions require upgrading to a release containing the fix (as listed above).:
- 4.29.1F and below releases in the 4.29.x train
- 4.28.5.1M and below releases in the 4.28.x train
- 4.27.8.1M and below releases in the 4.27.x train
- 4.26.9M and below releases in the 4.26.x train
Note: Installing/uninstalling the SWIX will cause the snmpd process to restart
Version: 1.0
URL: SecurityAdvisory84_CVE-2023-24511_Hotfix.swix
SWIX hash:SecurityAdvisory84_CVE-2023-24511_Hotfix.swix
(SHA-512)da2bc1fd2c7fc718e3c72c7ce83dc1caa05150cbe2f081c8cc3ed40ce787f7e24dff5202e621ef5f2af89f72afd25f7476d02f722ffe8e8c7d24c101cbbfe0e5
For instructions on installation and verification of the hotfix patch, refer to the “managing eos extensions” section in the EOS User Manual. Ensure that the patch is made persistent across reboots by running the command ‘copy installed-extensions boot-extensions’.
For More Information
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
Open a Service Request
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502 ; 866-476-0000
Contact information needed to open a new service request may be found at: https://www.arista.com/en/support/customer-support