7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.821 High
EPSS
Percentile
98.3%
Revision | Date | Changes |
---|---|---|
1.0 | November 6th, 2019 | Initial Release |
The CVE-IDs tracking this issue: CVE-2019-9512, CVE-2019-9514, and CVE-2019-9515
CVSSv3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
This advisory documents the exposure of Arista’s products to the above-listed CVEs regarding an HTTP2 OOM security vulnerability in Go’s gRPC library. The vulnerability is in an open-source software, Go’s gRPC library, and Arista has not received evidence of this vulnerability being exploited, as of the date of initial release of this advisory.
If TerminAttr or OpenConfig is enabled, an attacker could continually send data/flood that could cause the TerminAttr or OpenConfig agent to consume large amounts of memory, potentially leading to an OOM (Out of Memory) condition.
The exploitation of this vulnerability can lead to an Out-of-Memory condition on the impacted device. Repeated attempts could potentially lead to a Denial of Service attack as other agents can run out of memory due to large memory consumption by TerminAttr and/or Openconfig agents.
Affected Software
As a security best practice, it is recommended to not expose internal devices to public access to safeguard from potential attacks. As a resolution against this vulnerability, refer to the next section for a hitless hotfix for EOS and code upgrade path for all products.
The vulnerability is tracked by:
EOS with TerminAttr enabled - The recommended course of action is to upgrade TerminAttr to a fixed version. Upgrading TerminAttr to a remediated version is non-disruptive to the device operation or traffic forwarding, and addresses this vulnerability for EOS and CloudVision Portal. During the TerminAttr update, the connection of CVP to devices is reset and streaming telemetry is buffered until TerminAttr is running again and the connection is re-established. Arista suggests leveraging CVP to upgrade TerminAttr across all devices.
EOS with OpenConfig enabled - For OpenConfig, install the provided hotfix for immediate resolution. Hotfix install instructions for OpenConfig in EOS:
(1) Patch file download URL: SecurityAdvisory0043Hotfix-1-v1.0.0.swix
sha512 checksum for verification: be17fce400045ee63c7d77cb756e47aebf460c878793b1984ed3c79f7c3be3ec189c986afdcbc3d1814170d2e1f5c594b3ac7d179ebe05eda05c4919d9789036
This patch is compatible with the following EOS versions:
(2) Patch file download URL: SecurityAdvisory0043Hotfix-2-v1.0.0.swix
sha512 checksum for verification: ef84fb5e4eb2ffe9f1cf2904cb1b496fb115c444de21f4cf38858daa4a0cba35a6cad9677d01b8f1885df42ff15368c864998eb4afcc7625e39195e08f65c669
This patch is compatible with the following EOS versions:
For instructions on installation and verification of EOS extensions, refer to this section in the EOS User Manual: https://www.arista.com/en/um-eos/eos-section-6-7-managing-eos-extensions. Ensure that the extension is made persistent across reboots by copying the installed-extensions to boot-extensions.
After the patch is in place, a log message is recorded to highlight any attack if there might be an attempt to exploit this vulnerability
kernel: [ 7458.218363] TCP: request_sock_TCP: Possible SYN flooding on port 6042. Sending cookies. Check SNMP counters.
CloudVision - The vulnerability is addressed in the 2019.1.0 and later versions of CloudVision Portal. Updating TerminAttr on managed devices protects against this vulnerability on affected CloudVision Portal releases.
Wi-Fi Access Points - If OpenConfig is explicitly enabled, the recommendation is to upgrade to a remediated code version, v8.8.1, to safeguard against this vulnerability.
The vulnerability is fixed in the following versions:
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502
866-476-0000
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.821 High
EPSS
Percentile
98.3%