9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.923 High
EPSS
Percentile
98.9%
Date: October 2nd, 2017
Version: 1.0
Revision | Date | Changes |
---|---|---|
1.0 | October 2nd, 2017 | Public release |
1.1 | October 3rd, 2017 | Updates to clarify impact and add mitigation |
1.2 | October 6th, 2017 | Updates to the affected software release table |
1.3 | October 11th, 2017 | Hotfix v1.1 has been updated |
A list of 6 CVEs affecting DNS and DHCP were publicly released on October 2nd, 2017 by the Google Security Research team. From internal investigations it has been confirmed that Arista Network’s software products - EOS and Cloud Vision Portal (CVP) are not exploitable to the following DNS and DHCP vulnerabilities.
CVE-2017-14495: DNS - Lack of free () - OOM/DoS
CVE-2017-14496: DNS - Invalid boundary checks and integer underflow - DoS
CVE-2017-14492: DHCP - Heap based overflow - RCE
CVE-2017-14493: DHCP - Stack based overflow - RCE
CVE-2017-14494: DHCP - Information leak
This advisory documents the impact of CVE-2017-14491: DNS - 2 byte heap based overflow - RCE that affects some Arista Products.
CVSS v2 Score 10
CVSS v3 Score 9.8
This vulnerability could allow a remote attacker to run arbitrary code, create a denial of service or an out of memory situation.
Note: There have been no external reports of an exploit, as of the date of this notice. Proof of concepts to evaluate if you are affected have been made available by the Google security research team that discovered the vulnerabilities.
Recommended Action: For switches running any affected EOS version with the ‘ip name-server’ configuration, the immediate recommendation is to install a non-disruptive patch or to upgrade to a remediated version of EOS. Either step will prevent any exploit. Removing the ‘ip name-server’ command from default and non-default VRFs will serve as mitigation against this vulnerability.
A single patch for this issue is available for EOS versions 4.13.0 and all later versions up to 4.19.0 via the URL below. This patch can be installed non-disruptively. Applying this patch serves as a permanent resolution to this issue. Instructions to install the patch are available on page 3 of this advisory.
Affected software releases: All EOS releases shipped prior to the date of this release are affected. The following table only lists the affected EOS versions from the supported release trains.
Table-1: Affected EOS releases
4.18 | 4.17 | 4.16 | 4.15 | Older release trains |
---|
4.18.0F
4.18.1F
4.18.1.1F
4.18.2F
4.18.2.1F
4.18.3F
4.18.3.1F
4.18.4F
4.18.4.1F
4.18.4.2F
|
4.17.0F
4.17.1F
4.17.1.1F
4.17.1.4F
4.17.2F
4.17.2.1F
4.17.3F
4.17.4M
4.17.5M
4.17.5.1M
4.17.6M
4.17.7M
| 4.16.6M
4.16.8M
4.16.9M
4.16.10M
4.16.11M
4.16.12M
| 4.15.0F
4.15.2F
4.15.2.1F
4.15.3F
4.15.4F
4.15.4.1F
4.15.4.2F
4.15.5M
4.15.5.1M
4.15.6M
4.15.6.1M
4.15.7M
4.15.8M
4.15.9M
4.15.10M
|
All releases in 4.14
All releases in 4.13
Releases older than 4.13
Affected platforms: All Arista DCS platforms
Resolution: Bug 216203 tracks this vulnerability. EOS-4.19.0F and later releases will contain the fix for this vulnerability. These releases are available on the software downloads page. The following table provides the EOS releases that have the fixes integrated. Releases made available after the initial fixed version will also contain the resolution.
Table-2: Currently Available Remediated EOS releases
4.19 | 4.18 | 4.17 | 4.16 | 4.15 |
---|
4.19.0F
4.19.1F
|
|
4.17.8M
|
4.16.13M
|
**Patch file download URL:**SecurityAdvisory0030-Hotfix-v1.1.swix
File URL: SecurityAdvisory0030-Hotfix-v1.1.swix
MD5SUM: 3d29c6d75916a89508eb13bcf537b148
SHA512SUM: 90329906ff83272bb90907d14c7a72b107e3971b15b6263244ee8d49757277505d637ee794b4a98a6b73d6b85b653a4ee36182690b00ee29b07adf91182e76bd
Note:
Instructions to install the patch:
Download the patch file and copy the file to the extension partition of the switch using one of the supported file transfer protocols:
switch#copy scp://10.10.0.1/SecurityAdvisory0030-Hotfix-v1.1.swix extension:
switch#verify /sha512 flash:SecurityAdvisory0030-Hotfix-v1.1.swix
verify /sha512 (flash:securityAdvisory0030-Hotfix-v1.1.swix) = 90329906ff83272bb90907d14c7a72b107e3971b15b6263244ee8d49757277505d637ee794b4a98a6b73d6b85b653a4ee36182690b00ee29b07adf91182e76bd
Verify that the checksum value returned by the above command matches the provided SHA512 checksum for the file. On modular systems with dual supervisors, download the file to the extension partition of the active supervisor and copy it to the standby supervisor using the following two commands:
switch(s1)(config)#copy extension:SecurityAdvisory0030-Hotfix-v1.1.swix supervisor-peer:/mnt/flash
switch(s2-standby)#copy flash:SecurityAdvisory0030-Hotfix-v1.1.swix extension:
Install the patch using the extension command. The patch takes effect immediately at the time of installation.
switch#extension SecurityAdvisory0030-Hotfix-v1.1.swix
On modular systems with dual supervisors, the patch has to be installed on the active and standby supervisors:
switch(s1)#extension SecurityAdvisory0030-Hotfix-v1.1.swix
switch(s2-standby)#extension SecurityAdvisory0030-Hotfix-v1.1.swix
Verify that the patch is installed using the following commands.
switch#show extension
Name Version/Release Status extension
------------------------------------------ ------------------------- ------ ----
SecurityAdvisory0030-Hotfix-v1.1.swix 2.77/6375386.erahndnsmasq A, I 1
A: available | NA: not available | I: installed | NI: not installed | F: forced
switch#show version detail | grep SecurityAdvisory0030
dnsmasq-SecurityAdvisory0030 2.77 6375386.erahndnsmasqUpstreamFixesHotfix0.5
**dnsmasq-SecurityAdvisory0030 2.77 5968836.erahndnsmasqUpstreamFixesHotfix0.59
**
Verify that the following message is displayed in /var/log/messages
Sep 29 19:22:55 SecurityAdvisory0030: Patch installed successfully
Sep 29 19:22:55 python: %EXTENSION-6-INSTALLED:** Extension SecurityAdvisory0030-Hotfix-v1.1.swix has been installed.
**
Make the patch persistent across reloads. This ensures that the patch is installed as part of the boot-sequence. The patch will not install on EOS versions with the security fix.
switch#copy installed-extensions boot-extensions
switch#show boot-extensions
SecurityAdvisory0030-Hotfix-v1.1.swix
For dual supervisor systems run the above copy command on both active and standby supervisors:
switch(s1)#copy installed-extensions boot-extensions
switch(s2-standby)#copy installed-extensions to boot-extensions
Note:
This patch (SecurityAdvisory0030-Hotfix-v1.1.swix) will automatically restart the dnsmasq service.
With hotfix v1.0 (SecurityAdvisory0030-Hotfix.swix) that was released with the initial version of this security advisory, it is required to manually restart the dnsmasq service for switches running EOS versions 4.17.0 or later. If the switch was restarted after installing the hotfix v1.0, the switch is already protected and there is no need to restart the dnsmasq.
To manually restart the dnsmasq service the following bash commands can be used.
switch#bash
Arista Networks EOS shell
[admin@switch ~]$ ps aux | grep dnsmasq
root 3923 0.0 0.0 4424 1832 ? S Oct06 0:01 /usr/sbin/dnsmasq
arastra 15669 0.0 0.0 4760 1516 pts/5 S+ 12:48 0:00 grep --color=auto dnsmasq
[admin@switch ~]$ sudo killall dnsmasq
[admin@switch ~]$ sudo service dnsmasq start
Starting dnsmasq: [OK]
[admin@switch ~]$ ps aux | grep dnsmasq
root 16770 0.0 0.0 4424 1832 ? S Oct06 0:01 /usr/sbin/dnsmasq
arastra 16793 0.0 0.0 4760 1516 pts/5 S+ 12:48 0:00 grep --color=auto dnsmasq
The “ps aux | grep dnsmasq” commands are not required to restart dnsmasq, but are used to verify the restart by checking that dnsmasq has a new PID.
Instructions to uninstall the patch:
Uninstall the patch using the following command:
switch#no extension securityAdvisory0030-Hotfix-v1.1.swix
On modular systems with dual supervisors, the patch has to be uninstalled on the active and standby supervisors:
switch(s1)#no extension securityAdvisory0030-Hotfix-v1.1.swix
switch(s2-standby)#no extension securityAdvisory0030-Hotfix-v1.1.swix
The output of ‘show extensions’ will reflect the status of the patch as ‘NI: Not installed’
switch#show extension
Name Version/Release Status extension
----------------------------------- ------- ------ ---------
**SecurityAdvisory0030-Hotfix-v1.1.swix 2.77/6375386.erahndnsmasq A, NI 1**
A: available | NA: not available | I: installed | NI: not installed | F: forced
Verify that the following message is displayed in /var/log/messages after uninstalling the extension
Sep 29 20:12:47 python: %EXTENSION-6-UNINSTALLING: **Uninstalling extension securityAdvisory0030-Hotfix-v1.1.swix**
....
Sep 29 20:12:47 **SecurityAdvisory0030: Patch removed successfully
**
Note: Once the extension has been uninstalled, the switch is no longer protected against the vulnerability.
2. To make this change persistent across switch reloads, run the following command to remove the patch from boot-extensions:
switch#copy installed-extensions boot-extensions
switch#show boot-extensions
For dual supervisor systems run the above copy command on both active and standby supervisors:
switch(s1)#copy installed-extensions boot-extensions
switch(s2-standby)#copy installed-extensions to boot-extensions
Upgrade considerations:
References:
For more information visit:
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
Open a Service Request:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502
866-476-0000
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.923 High
EPSS
Percentile
98.9%