Revision | Date | Changes |
---|---|---|
1.0 | December 16th, 2020 | Initial Release |
The CVE-ID tracking this issue: CVE-2020-15898
CVSSv3 Base Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
This advisory documents the impact of a vulnerability in Arista’s EOS involving crossing VLAN boundaries in X-Series and 7170 Series platforms identified below. To evaluate if a system is vulnerable please see the “Symptoms” section below for specific required configuration.
The effect of this vulnerability is that malformed packets can be incorrectly forwarded across VLAN boundaries in one direction. This vulnerability is only susceptible to exploitation by unidirectional traffic (ex. UDP) and not bidirectional traffic (ex. TCP).
Please note that this advisory does not refer to the crossing of VLAN boundaries as a result of the configuration of inter-VLAN routing, which would be the expected behavior.
This issue was discovered internally and Arista is not aware of any malicious uses of this issue in customer networks.
Affected Software
EOS
Affected Platforms
Evaluation for the X-Series
For the X-Series, this vulnerability is applicable to systems configured with VLAN interfaces (SVIs) where the SVI is assigned to a VRF with ip routing disabled. The following command can be used to confirm the VLAN(s) exposed to this vulnerability for all X-Series platforms.
Using the output of show vrf (Figure 1, below), confirm if IPv4 or IPv6 routing has been disabled for the VRF and if the VRF has SVIs assigned. Please note that the text highlighted in red refers to vulnerable configuration and the text highlight in blue refers to configuration that is NOT vulnerable.
In the following example,
Vlan 1 is vulnerable in the ‘default’ VRF as IPv4 routing is disabled (even if IPv6 routing is enabled) and the L3 interface list includes the SVI for VLAN 1
Vlan 10 is vulnerable in the ‘test1’ VRF as IPv6 routing is disabled (even if IPv4 routing is enabled) and the L3 interface list includes the SVI for VLAN 10
Vlan 20 is not vulnerable in the ‘test2’ VRF even with a VLAN interface as IPv4 and IPv6 routing are enabled in this VRF
Switch#show vrf
Maximum number of vrfs allowed: 1023
VRF RD Protocols State Interfaces
default ipv4,ipv6 v4:no routing, Vlan1, Ethernet8/1,
v6:routing Ethernet9/1, Loopback0,
test1 100:1 ipv4,ipv6 v4:routing, Vlan10, Ethernet3/1,
v6:no routing Ethernet7/1, Loopback1
test2 200:1 ipv4,ipv6 v4:routing, Vlan20, Ethernet4/1,
v6:routing Ethernet8/1, Loopback2
Figure-1: show vrf output
In EOS releases prior to 4.23.x, the VRF default interfaces are not listed in the output of the show vrf command. If the X-Series device in question is running a release prior to 4.23.x, please use the following commands to identify VLANs in thedefault VRF that are vulnerable. For non-default VRFs, continue to use the output of ‘show vrf’ as described using Figure-1 above.
To check the status of IPv4 routing in the ‘default’ VRF, use the command ‘show running-configuration section ip routing’
Switch#show running-configuration section ip routing
no ip routing
no ip routing vrf test1
ip routing vrf test2
Figure-2: Check for IPv4 routing in default VRF
In the example above (Figure-2), the highlighted configuration indicates that IPv4 routing is disabled in the ‘default’ VRF.
To check the status of IPv6 routing in the ‘default’ VRF, use the command ‘show running-configuration all section ipv6 unicast-routing’:
Switch#show running-config all section ipv6 unicast-routing
no ipv6 unicast-routing
no ipv6 unicast-routing vrf test1
no ipv6 unicast-routing vrf test2
Figure-3: Check for IPv6 routing in default VRF
In the example above (Figure-3), the highlighted configuration indicates that IPv6 routing is disabled in the ‘default’ VRF.
To check if the ‘default’ VRF has configured SVIs, use the command ‘show ip interface vrf default’
Switch#show ip interface vrf default
Vlan1 is up, line protocol is up (connected)
### Output omitted for brevity ###
Figure-4: Check for SVIs configured in default VRF
In the above example (Figure-4), VLAN1 has an SVI configured.
Evaluation for 7170 Platforms
On the 7170 series, systems running the affected software version are vulnerable if SVIs are configured for VLANs. The check for IP routing is not required for this platform.
To confirm if an SVI has been configured for any VLAN use the command ‘show vlan’
Switch#show vlan
VLAN Name Status Ports
----- -------------------------------- --------- -------------------------------
1 default active Cpu, Et2/1, Et4/1
Figure-5: SVI check for 7170
In the above example (Figure-5), “Cpu” is listed under “Ports” for VLAN 1 indicating that an SVI is configured in VLAN 1. 7170 systems are vulnerable if an SVI is configured in any VLAN.
For the X-series platforms, the mitigation step is to enable IP routing for the VRFs in question.
There is no mitigation available for the 7170 platforms.
This vulnerability is being tracked by Bugs 359990 and 360186. The recommended resolution is to upgrade to a remediated EOS version.
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502
866-476-0000