Revision | Date | Changes |
---|---|---|
1.0 | December 16th, 2020 | Initial Release |
The CVE-ID tracking this issue: CVE-2020-26569
CVSSv3.1 Base Score: 5.9/10 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
This advisory documents the impact of a vulnerability in Arista’s EOS involving crossing VLAN boundaries in X-series platforms identified under “Symptoms”, and “Affected Platforms” below.
In EVPN VxLAN setups, the effect of this vulnerability is that specific malformed packets can lead to incorrect MAC to IP bindings and as a result packets can be incorrectly forwarded across VLAN boundaries. This can result in traffic being discarded on the receiving VLAN.
Please note that this advisory does not refer to the crossing of VLAN boundaries as a result of the explicit configuration of inter-VLAN routing, which would be expected behavior.
This issue was discovered internally and Arista is not aware of any malicious uses of this issue in customer networks.
Affected Software
EOS
Affected Platforms
Affected platforms are vulnerable when deployed in an EVPN VxLAN design with SVIs (Switched VLAN Interfaces) configured. If unexpected traffic loss is noticed, this vulnerability can be verified by checking for invalid bindings between the IP and MAC address for each VLAN.
To verify if a device is vulnerable, use the commands in the following example to identify the presence of EVPN VxLAN configuration with SVIs.
Check for EVPN and VxLAN configuration
router bgp 65006
!
vlan 8
rd 65006:500150
route-target both 65006:500150
redistribute learned
!
address-family evpn
neighbor 1.1.1.1 activate
Figure-1: EVPN configuration snippet
In the configuration snippet present in Figure-1, address-family evpn has been configured under the “router bgp” configuration context. Additionally, the EVPN address-family has been activated for a peer as indicated by the "neighbor 1.1.1.1 activate " piece of configuration . This indicates that EVPN has been configured on the Switch in question. Please note that the EVPN address-family can be activated for multiple peers as well.
Switch#show running-config section vxlan
interface Vxlan1
vxlan source-interface Loopback0
vxlan udp-port 4789
vxlan vlan 8 vni 800
Figure-2: VxLAN configuration
The presence of a VxLAN interface configuration as shown in Figure-2 confirms that VxLAN is enabled.
Check for configured SVIs
Switch#show vlan
VLAN Name Status Ports
8 active Cpu, Et1, Et2, Vx1
Figure-3: show vlan output
In the output of “show vlan” as shown in Figure-3, if “Cpu” is listed under “Ports” for any VLAN, it means that a SVI has been configured for the VLAN in question. In the above example, there is an SVI configured in VLAN8 which makes VLAN 8 vulnerable even if it does not map to any VNIs.
In the scenario of unexpected traffic loss, the ARP/ND tables can be further reviewed to identify any invalid IP to MAC bindings.The following commands and output example (Figure-4) can be used to confirm if there are any invalid or unexpected IP-MAC bindings.
Switch#show arp
Address Age (min) Hardware Addr Interface
10.64.139.65 N/A aaaa.aaaa.aaa Vlan8, Not learned
Switch#show ipv6 neighbors
IPv6 Address Age Hardware Addr State Interface
2001::2 N/A aaa1.aaa1.aaa1 REACH Vl8, not learned
Figure-4: show arp/show ipv6 neighbors output
If the host with the IP address in the ARP entry is actively sending traffic and the output of the ARP/Neighbor discovery table shows the entry as ‘not learned’, this is a possible indication that the entry was incorrectly updated as a result of this vulnerability.
A mitigation for this is to first identify the malicious sending IP and then clear the corresponding entry from the ARP/IPv6 neighbor table.
For the final resolution, please refer to the next section which lists the details of the remediated software versions.
This vulnerability is being tracked by BUG 407644. The recommended resolution is to upgrade to a remediated EOS version, listed below.
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502
866-476-0000