CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
76.5%
Revision | Date | Changes |
---|---|---|
1.0 | March 16th, 2021 | Initial Release |
1.1 | March 29th, 2021 | -Telegraf removed from affected EOS features |
- Influxdb removed from affected components in MOS | ||
- Added config for SSL profile with trust certificate configuration | ||
- Added config check for vulnerable configuration in TerminAttr | ||
- Updated assessment for CVP | ||
- Updated mitigation for EOS, CVP and MOS |
The CVE-ID tracking this issue: CVE-2020-28362
CVSSv3.1 Base Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
This advisory documents the impact of a publicly disclosed vulnerability in the Go programming language (maintained by Google), on Arista products. Affected products include EOS, CloudVision Portal and MOS software. Affected features and software releases are listed in the sections below.
The vulnerability affects features that use TLS connections or client certificate authentication. When exploited, the vulnerability can allow denial of service attacks for the affected features.
Arista is not aware of any malicious uses of this issue in customer networks.
CloudVision Portal:
EOS:
TerminAttr:
MOS:
The following products are affected by this vulnerability:
The following products are not affected:
I) Vulnerable Configuration
1)On systems running EOS:
a) For gRIBI, Octa and OpenConfig:
For the first step, confirm if there is any SSL profile present in the running-configuration with client certificate authentication enabled:
Switch#show running-config section management security
management security
ssl profile test
trust certificate certificate_name
In the above example, a SSL profile “test” has been configured. The “trust certificate certificate_name” piece of configuration indicates that client certificate authentication is enabled in the profile.
Next, confirm if any of the SSL profiles with client certificate authentication enabled have been applied to the following features:
(i) Confirm if gRIBI has been configured along with a SSL profile.
Switch#show management api gribi
Enabled: Yes
Server: running on port 6040
SSL Profile: test
If yes, confirm that the SSL profile has client certificate authentication enabled.
(ii) Or confirm if management api gnmi has been configured along with a SSL profile with client certificate authentication enabled:
Switch#show management api gnmi
Enabled: Yes
Server: running on port 50051, in default VRF
SSL Profile: test
QoS DSCP: none
If yes, confirm that the SSL profile has client certificate authentication enabled.
Note: Step (ii) covers the check for both Octa and OpenConfig.
b) For TerminAttr
For the first step, confirm if TerminAttr is running:
Switch#show daemon TerminAttr
Process: TerminAttr (running with PID 4060)
Uptime: 2 days, 3:48:28 (Start time: Sun Jan 31 06:00:43 2021)
No configuration options stored.
Note: The TerminAttr Process ID (PID) will differ from what is highlighted in the above example.
If TerminAttr is running, the corresponding version can be checked via the following
Switch#show version detail | grep TerminAttr-core
TerminAttr-core v1.12.0 1
Once the TerminAttr version has been checked, the following steps can be followed to determine if the system is vulnerable:
i) Confirm that the TerminAttr daemon configuration has the “-grpcaddr” and “-clientcafile” flags configured:
Switch#show running-config section TerminAttr
daemon TerminAttr
exec /usr/bin/TerminAttr --disableaaa -taillogs -grpcaddr=test/0.0.0.0:6042
-allowed_ips=0.0.0.0/0 -procfsperiod=60s -cpu_counters_expiration=60
-clientcafile=path_to_certificate
no shutdown
The presence of these flags indicate that client certificate authentication has been enabled for TerminAttr.
ii) Or confirm that the “-cvaddr” or “-ingestaddr” flags are configured. If yes, verify that the “-cvauth” or “-ingestauth” flags are NOT set to “none”:
Switch#show running-config section TerminAttr
daemon TerminAttr
exec /mnt/flash/TerminAttr -cvaddr=10.10.10.100:443 -cvcompression=gzip -taillogs
-grpcaddr 0.0.0.0:6042 --autocert=true
--cvauth=certs,/persist/secure/cloudvision/enroll.crt,/persist/secure/cloudvision/private.pem
no shutdown
In this example, the “-cvaddr” flag is configured and the “–cvauth” flag is NOT set to none.
2) On CloudVision Portal Servers:
Confirm if the version of CVP running is among the list of affected versions mentioned in the “Affected Software” section:
As seen in the above example, 2020.2.4 is the CVP version running on the server and is included in the list of CVP versions to which the vulnerability is applicable.
3) On 7130 systems running MOS:
Confirm if a docker container has been configured via “show running-configuration”:
Example:
docker container foo run image registry.example.com/busybox:latest
II) Determining if the vulnerability has been hit:
If the vulnerability has been exploited, the following crash log may be observed on affected products:
panic: impossible [recovered]
panic: impossible
goroutine 195 [running]:
runtime/panic.go:969 +0x1b9
math /big.nat.divRecursiveStep(0xc0000da400, 0x39, 0x3d, 0xc000091080, 0xa8, 0xad, 0xc00064c000, 0x70, 0x7534, 0x0, ...)
math /big/nat.go:951 +0x139a
math/big.nat.divRecursive(0xc0000da400, 0x39, 0x3d, 0xc000091080, 0xa9, 0xad, 0xc00064c000, 0x70, 0x7534)
math /big/nat.go:828 +0x17e
math/big.nat.divLarge(0xc000264000, 0x10, 0x14, 0xc000264000, 0x10, 0x14, 0xc000090b00, 0xa8, 0xab, 0xc00011b000, ...)
math /big/nat.go:727 +0x412
math/big.nat.div(0xc000264000, 0x10, 0x14, 0xc000264000, 0x10, 0x14, 0xc000090b00, 0xa8, 0xab, 0xc00011b000, ...)
math /big/nat.go:672 +0x410
Figure-1: Stack trace
Note that the stack trace may vary from case to case, however if the highlighted portion of the trace (i.e. “math”) is present, it is a strong indicator that the vulnerability has been hit. The following steps list the commands that can be used to identify the crash log on the affected products.
1) On systems running EOS:
An EOS agent crash may be observed as a result of an exploit. To identify agent crashes, navigate to the /var/log/agents directory in the bash shell and individually view the following agent logs by running “cat agent_name-PID ”. The relevant agent names are as follows:
An example of how the agent log can be viewed is as follows:
“cat TerminAttr-3553 ”
In this example, 3553 is the PID (Process Identifier).
-OR-
Run “show agent logs crash ” in the CLI. The output of this command should have sections of the logs shown in Figure-1 above highlighted in yellow.
2) On CloudVision Portal Servers (via the CLI shell):
(i) Execute “cat /cvpi/apps/aeris/logs/ingest.stderr.log ”
(ii) Execute “cat /cvpi/apps/aeris/logs/api-server.stderr.log ”
Note: For CVP clusters, perform the above check on all 3 nodes.
The output of this command should have sections of the logs shown in Figure-1 above highlighted in yellow.
3) On 7130 systems running MOS:
Execute “journalctl -u docker.service ”
The output of this command should have sections of the logs shown in Figure-1 above highlighted in yellow.
As a security best practice, TLS connections should only be accepted from trusted sources. The following options are available to restrict incoming TLS connections:
1) On systems running EOS:
Configure a non-default Control-Plane ACL with the following rule present:
permit tcp 10.10.10.0/24 any eq 443
In this example, HTTPs connections (i.e. connections to port 443) will only be accepted if sourced from the 10.10.10.0/24 subnet. The following are the default service ports for the affected features:
(i) gRIBI - 6040
(ii) OpenConfig and Octa - 6030
(iii) TerminAttr - 6042
The relevant service ports will need to be specified in the ACL rule.
Note:
i) If a different TCP port is used on the Switch for the incoming TLS connection from what is referenced above, modify the port number in the ACL rule.
ii) For TerminAttr, ensure that the connection to Cloudvision is established over a trusted network.
2) On CloudVison Portal servers (via the CLI shell):
Configure the following iptable rules on the CVP server(s) to permit incoming TCP connections to ports 9910 and 8443 from a specified subnet only:
sudo iptables -A INPUT -p tcp -s 10.10.10.0/24 --dport 9910 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 10.10.10.0/24 --dport 8443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
In this example, TCP connections to ports 9910 and 8443 will be accepted only if sourced from the 10.10.10.0/24 subnet.
Note :
These iptable rules are not persistent across reboots and must be applied on a reboot of the system.
3) On 7130 systems running MOS:
There is no workaround available to mitigate the issue on 7130 systems running MOS. As a security best practice, ensure that TLS connections are made to trusted devices.
For the final resolution, please refer to the next section which lists the details of the remediated software versions.
The recommended resolution is to upgrade to a remediated software release during a maintenance window. This vulnerability is tracked by the following BUGs:
1) EOS
2) CloudVision Portal
The vulnerability in CVP is tracked by BUG541154 and the fix will be available in the following releases:
3) MOS
The vulnerability in systems running MOS is tracked by BUG MOS-1729. This has been fixed in the following release:
For More Information
To read more about this vulnerability, please refer to the following links:
Google Groups: https://groups.google.com/g/golang-nuts/c/c-ssaaS7RMI
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502 ; 866-476-0000
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
76.5%