CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
58.8%
Revision | Date | Changes |
---|---|---|
1.0 | October 7th, 2020 | Initial Release |
The CVE-ID tracking this issue is: CVE-2020-17355
CVSSv3 Base Score: 7.5/10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
This advisory documents a security vulnerability in Arista EOS, for customers who leverage DHCPv6 with a specific relay option configured. The vulnerability is found in EOS where a malformed DHCP packet can lead to an incorrect route being installed. This incorrect route in turn may result in a restart of agents attempting to process the route.
The impact, in the form of agent restarts or feature usability, would be specific to the SandL3Unicast, Ira, Arp, or Snmp agents. The exposure is limited to devices with the option for “ipv6 dhcp relay install routes” configured, with the malformed packet directed on a routed port that DHCP Relay is listening on.
Arista has not received any report of this issue being exploited in any malicious manner.
It is required for the “ipv6 dhcp relay install routes” configuration line to be applied for this vulnerability to be exploited. If the vulnerability has been exploited, the symptoms of this attack would be an agent restart of SandL3Unicast, Ira, Arp, or Snmp. Agent restarts are logged under show logging all.
Example 1:
ProcMgr-worker: %**PROCMGR-6-PROCESS_TERMINATED**: ‘'SandL3Unicast' (PID=4609) has terminated.
ProcMgr-worker: %PROCMGR-6-PROCESS_RESTART: Restarting 'SandL3Unicast' immediately (it had PID=4609) 2020 Sep 21 04:23:22
ProcMgr-worker: %PROCMGR-6-PROCESS_STARTED: 'SandL3Unicast' starting with PID=28332 (PPID=2419) -- execing '/usr/bin/SandL3Unicast'``
Example 2:
ProcMgr-worker: %PROCMGR-4-TERMINATE_PROCESS_SIGQUIT: Heartbeats from 'Snmp' (PID=18833) missing for 61.0 secs -- terminating it with SIGQUIT
ProcMgr-worker: %**PROCMGR-6-PROCESS_TERMINATED**: 'Snmp' (PID=18833) has terminated.
ProcMgr-worker: %PROCMGR-6-PROCESS_RESTART: Restarting 'Snmp' immediately (it had PID=18833)
ProcMgr-worker: %PROCMGR-6-PROCESS_STARTED: 'Snmp' starting with PID=24521 (PPID=2257) -- execing '/usr/bin/Snmp'
The “%PROCMGR-6-PROCESS_TERMINATED” log highlighted above indicates that the agent has crashed.
Affected Software
Affected Platforms
As a security best practice, it is recommended to restrict public access to DHCP servers or any other internal devices sending DHCPv6 packets. Additionally, an Access-Control list (ACL) can be configured on the port that DHCP is listening on, on the EOS switch, allowing access to and from trusted DHCP servers only. For the final resolution, refer to the next section for remediated software versions.
As a workaround, “ipv6 dhcp relay install routes” can be removed from the configuration to safeguard against this vulnerability until a fix is installed.
This vulnerability is being tracked by Bug 498246. To safeguard against this vulnerability, the recommended course of action is to perform an upgrade to a remediated EOS version.
The vulnerability has been fixed in the following EOS versions:
For users exposed to this vulnerability who are unable to upgrade EOS to leverage the resolution and need a temporary fix, contact your Arista Account team or Arista TAC for assistance.
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502
866-476-0000
Vendor | Product | Version | CPE |
---|---|---|---|
arista | eos | 4.24.1 | cpe:2.3:o:arista:eos:4.24.1:*:*:*:*:*:*:* |
arista | eos | 4.23.4 | cpe:2.3:o:arista:eos:4.23.4:*:*:*:*:*:*:* |
arista | eos | 4.22.6 | cpe:2.3:o:arista:eos:4.22.6:*:*:*:*:*:*:* |
arista | eos | 4.21.11 | cpe:2.3:o:arista:eos:4.21.11:*:*:*:*:*:*:* |
arista | eos | 4.20.1 | cpe:2.3:o:arista:eos:4.20.1:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
58.8%