7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.004 Low
EPSS
Percentile
73.7%
Revision | Date | Changes |
---|---|---|
1.0 | March 23, 2020 | Initial Release |
The CVE-IDs tracking this issue: CVE-2019-17596
CVSSv3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
This advisory documents the exposure of Aristaβs products to a security vulnerability in an open-source software, Go. Arista has not received evidence of this vulnerability being exploited, as of the date of the initial release of this advisory.
The exploitation of this vulnerability on affected software can lead to panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.
An attack due to this vulnerability would manifest in the form of a panic affecting the processing program, but not affecting other components of the product. This would occur when the product is provided an invalid public key to validate. The impact in EOS would be limited to the TerminAttr and OpenConfig agents, and an exploit like this can lead to Denial-of-Service (DoS).
Affected Software
Affected Software
This is a platform-independent vulnerability
Mitigation
As a security best practice, it is recommended to restrict public access to internal devices to safeguard from potential attacks. As a resolution against this vulnerability, refer to the next section for remediated software versions.
Resolution
This vulnerability is tracked using the following Bug IDs:
EOS with TerminAttr enabled - The recommended course of action is to upgrade TerminAttr to a fixed version. Upgrading TerminAttr to a remediated version is non-disruptive to device operation or traffic forwarding, and addresses this vulnerability. During the TerminAttr update, the connection to the streaming endpoint (CVP or other tools) is reset and streaming telemetry is buffered until TerminAttr is running again and the connection is re-established. Arista recommends using CVP to upgrade TerminAttr across all devices. To identify the version of Terminattr in EOS, use the following commands:
switch#show version detail | grep TerminAttr-core
TerminAttr-core v1.7.3 1
CloudVision - The vulnerability is addressed in 2019.1.3 and later versions of CloudVision Portal.
MOS - Upgrade to MOS 0.26 or later. While MOS is not vulnerable, it does use affected components that are fixed in version 0.26 or later.
The vulnerability is fixed in the following versions:
Vulnerability References
<https://vulners.com/cve/CVE-2019-17596>
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502
866-476-0000
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.004 Low
EPSS
Percentile
73.7%