7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
8.3 High
AI Score
Confidence
High
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.974 High
EPSS
Percentile
99.9%
Revision | Date | Changes |
---|---|---|
1.0 | June 26th, 2019 | Initial Release |
1.1 | July 2nd, 2019 | Mitigation for CloudVision, MOS, and Wi-Fi products; Updated swix for EOS |
1.2 | July 24th, 2019 | Updated EOS patch for non-default VRFs |
The CVE-IDs tracking this issue are CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479.
CVSSv3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
The TCP networking vulnerabilities in the Linux kernels relate to Maximum Segment Size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. This series of CVEs around the Linux kernel can be exploited by sending TCP packets to an IP address on the switch. This means the exposure on Arista devices would be on Management ports, Routed ports, SVI interfaces, and other interfaces with IP accessibility.
CVE-2019-11477: SACK Panic (Linux >= 2.6.29). A sequence of specifically crafted SACKs can trigger an integer overflow, possibly leading to a kernel crash. A remote attacker could exploit this to crash the system and create a Denial Of Service.
CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess Resource Usage (all Linux versions). A sequence of specifically crafted SACKs can cause a fragmented TCP queue, which can possibly lead to slowness or Denial of Service.
CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all Linux versions). The low maximum segment size (MSS) can cause an increase of fragmented packets and thereby increase the bandwidth consumption. This vulnerability can create a resource problem in both the CPU and network interface when crafted packets with low MSS values are used, potentially leading to slowness or Denial of Service.
These CVEs were publicly found and the exposure is across the Linux versions as mentioned above. This means that the following Arista products are affected: EOS, MOS, CVP, CVA, and the Wi-Fi products: Wireless Manager, Access Points, and all the Wi-Fi Cloud services. The complete list of affected products and software versions are documented below.
The vulnerabilities are in the Linux Kernel, leading to all the currently shipping code versions being impacted.
These vulnerabilities are platform independent.
The long-term resolution is upgrade to a remediated code version, as detailed in the next section. A temporary mitigation is to use the hotfix provided for the impacted products.
The hotfix can be installed as an EOS extension on affected versions (4.17 and later release trains). It is recommended to install a patch on affected versions of EOS to safeguard against this vulnerability.
Note:
For instructions on installation and verification of EOS extensions, refer to this section in the EOS User Manual: https://www.arista.com/en/um-eos/eos-section-6-7-managing-eos-extensions
The mitigation for CloudVision Portal can be done by running the following commands in your CVP shell as a root user:
Note:
The mitigation for CloudVision Appliance can be done by following the below steps after logging in to the CVA shell as a root user:
Note:
The hotfix can be installed as an application on affected versions (0.21.1 and below). It is recommended to install this patch on affected versions to safeguard against this vulnerability
Note:
It is recommended to install this patch on affected versions (8.7.1 and below) to safeguard against this vulnerability.
Note:
Immediate mitigation is not available for APs. A full build with remediated kernel will be available in the upcoming 8.7.1 hotfix, that is scheduled for GA by mid-July, and the subsequent releases starting 8.8 version.
For immediate mitigation, the patch to safeguard against these vulnerabilities has been applied on the Wi-Fi Cloud Services.
The following bugs track this vulnerability and impact across Arista products. The fix requires an update to the kernel and hence the recommended course of action is to upgrade to a fixed code version once it’s available for download. Here are the pertaining Bug IDs and versions with the fix:
The next upgrade of all Wi-Fi cloud services will have the remediated kernel version. In the meantime, the mitigation to safeguard against these vulnerabilities has already been applied.
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502
866-476-0000
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
8.3 High
AI Score
Confidence
High
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.974 High
EPSS
Percentile
99.9%