CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
9.0%
Revision | Date | Changes |
---|---|---|
1.0 | February 14th, 2023 | Initial release |
1.1 | February 22nd, 2023 | Update the Hotfix SWIX |
The CVE-ID tracking this issue: CVE-2023-24509
CVSSv3.1 Base Score: 9.3 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Common Weakness Enumeration: CWE-269 Improper Privilege Management
This vulnerability is being tracked by BUG 723401
On affected modular platforms running Arista EOS equipped with both redundant supervisor modules and having the redundancy protocol configured with RPR or SSO, an existing unprivileged user can login to the standby supervisor as a root user, leading to a privilege escalation. Valid user credentials are required in order to exploit this vulnerability.
Arista would like to acknowledge and thank Marc-André Labonté, Senior Information Security Analyst at Desjardins for responsibly reporting CVE-2023-24509.
Arista is not aware of any malicious uses of this issue in customer networks.
The following products are affected by this vulnerability:
Arista EOS-based products on modular switches with redundant supervisor modules:
The following product versions and platforms are not affected by this vulnerability:
In order to be vulnerable to CVE-2023-24509, the following conditions must be met:
Two supervisor modules must both be inserted and active. To determine the status of the supervisor modules,
switch#show module
Module Ports Card Type Model Serial No.
------- ----- ------------------------ ---------------- -----------
1 3 DCS-7500-SUP2 Supervisor DCS-7500-SUP2 SSJ17133450
2 2 Standby supervisor DCS-7500-SUP2 SSJ17133441
Module Status Uptime Power off reason
------- ------- ------- ----------------
1 Active 0:24:58 N/A
2 Standby 0:24:58 N/A
Supervisor redundancy protocol must be configured with RPR(Route Processor Redundancy) or SSO (Stateful Switchover) on the switch. To determine the state and the current redundancy protocol of both supervisors on the switch,
switch#show redundancy status
my state = ACTIVE
peer state = STANDBY WARM
Unit = Primary
Unit ID = 1
Redundancy Protocol (Operational) = Route Processor Redundancy
Redundancy Protocol (Configured) = Route Processor Redundancy
Communications = Up
Ready for switchover
Last switchover time = 7:23:56 ago
Last switchover reason = Supervisor has control of the active supervisor lock
This vulnerability may lead to privilege escalation issues. Unrecognized user activities in “/var/log/secure” may be an indication of the issue.
Any unrecognized login can also be an indication of the issue.
#show user detail
Session Username Roles TTY State Duration Auth Remote Host
------------- -------------- ------------------- ---------- ----------- -------------- ----------- --------------
21 admin network-admin con0 E 0:43:56 local
25 hacker network-operator vty4 E 0:03:20 local 10.0.2.3
The workaround is to disable “ssh” CLI command in unprivileged mode on the SSH client devices by using command authorization. This can be done with Role-Based Access Control (RBAC).
If the “ssh” CLI command is currently used to connect to a remote host, the destination address can be added to an allowlist with RBAC.
More details for how to use RBAC can be found on the Arista TOI pages.
https://www.arista.com/en/support/toi/eos-4-18-0f/13861-tacacs-rbac
https://www.arista.com/en/support/toi/eos-4-18-0f/13834-radius-vsas
https://www.arista.com/en/um-eos/eos-user-security#concept_dyv_1pk_cnb
The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.
CVE-2023-24509 has been fixed in the following releases:
The following hotfix can be applied to remediate CVE-2023-24509. The hotfix only applies to the releases listed below and no other releases. All other versions require upgrading to a release containing the fix (as listed above).:
Note: Installing/uninstalling the SWIX will cause ConfigAgent to restart and disconnect existing CLI sessions.
Version: 1.0
**URL:**SecurityAdvisory82_CVE-2023-24509_Hotfix.swix
SWIX hash:
(SHA-512)7833ab99e11cfea1ec28c09aedffd062cfc865a20a843ee6184caff1081e748c8a02590644d0c7b0e377027379cbaadc8b1a70d1c37097bf98c1bedb429dca56
For instructions on installation and verification of the hotfix patch, refer to the “managing eos extensions” section in the EOS User Manual. Ensure that the patch is made persistent across reboots by running the command ‘copy installed-extensions boot-extensions’.
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502 ; 866-476-0000
Contact information needed to open a new service request may be found at: https://www.arista.com/en/support/customer-support
Vendor | Product | Version | CPE |
---|---|---|---|
arista | eos | 4.28.3 | cpe:2.3:o:arista:eos:4.28.3:*:*:*:*:*:*:* |
arista | eos | 4.27.6 | cpe:2.3:o:arista:eos:4.27.6:*:*:*:*:*:*:* |
arista | eos | 4.26.8 | cpe:2.3:o:arista:eos:4.26.8:*:*:*:*:*:*:* |
arista | eos | 4.25.9 | cpe:2.3:o:arista:eos:4.25.9:*:*:*:*:*:*:* |
arista | eos | 4.24.10 | cpe:2.3:o:arista:eos:4.24.10:*:*:*:*:*:*:* |
arista | eos | 4.23.13 | cpe:2.3:o:arista:eos:4.23.13:*:*:*:*:*:*:* |