CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
42.5%
Revision | Date | Changes |
---|---|---|
1.0 | April 14th, 2020 | Initial Release |
The CVE-ID tracking this issue: CVE-2019-18948
CVSSv3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
This security advisory documents the exposure of Aristaβs products to a security vulnerability in EOS, specific to the VxLAN implementation. While the mappings already programmed in hardware will not be affected, specific malformed ARP packets can impact the software forwarding of VxLAN packets. This issue is found in Aristaβs EOS VxLAN code.
The vulnerability is documented by Arista using the following Bug IDs:
An attack due to this vulnerability could manifest in the form of a crash of the VxlanSwFwd agent. Itβs not expected that this would impact other agents or traffic forwarding functions. Software forwarding of VxLAN packets may be affected leading to traffic loss, though existing ARP entries or hardware forwarding will not be impacted.
VxlanSwFwd: %AGENT-6-INITIALIZED: Agent 'VxlanSwFwd' initialize
Affected Software
As a security best practice, it is recommended to restrict public access to internal devices to safeguard from potential attacks. As a resolution against this vulnerability, refer to the next section for remediated software versions and hotfix details.
This vulnerability is tracked by Bug 364633 and Bug 420663 and manifests in VxLAN setups only. The recommended course of action is to install the provided hotfix or upgrade to a remediated EOS version once available.
The vulnerability is fixed in the following EOS versions:
If you are unable to upgrade EOS right away, the fix is available as a hotfix and should be applied to safeguard against this vulnerability.
The hotfix can be installed as an EOS extension and is version-specific as noted below. The hotfix restarts the VxlanSwFwd agent. During the restart, any new ARP VxLAN requests and replies will be missed however existing ARP entries are not affected. The disruption will last for 5 seconds or less before normal behavior is restored.
For instructions on installation and verification of EOS extensions, refer to this section in the EOS User Manual: https://www.arista.com/en/um-eos/eos-section-6-7-managing-eos-extensions. Ensure that the extension is made persistent across reboots by copying the installed-extensions to boot-extensions.
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502
866-476-0000
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
42.5%