7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.0005 Low
EPSS
Percentile
17.1%
Revision | Date | Changes |
---|---|---|
1.0 | August 23, 2023 | Initial release |
The CVE-ID tracking this issue: CVE-2023-3646
CVSSv3.1 Base Score: 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Common Weakness Enumeration: CWE-125 Out-of-bounds Read
This vulnerability is being tracked by BUG829136, which is triggered by BUG765111
On affected platforms running Arista EOS with mirroring to multiple destinations configured, an internal system error may trigger a kernel panic and cause system reload.
CVE-2023-3646 Is tracked by BUG829136. In order to be vulnerable to the CVE a system must already be impacted by BUG765111, which is a non CVE known issue.
This issue was discovered by a customer and Arista is not aware of any malicious uses of this issue in customer networks.
The following products are affected by this vulnerability:
Arista EOS-based products:
The following product versions and platforms are not affected by this vulnerability:
Arista EOS Based Products
Arista Wireless Access Points
CloudVision WiFi, virtual appliance or physical appliance
CloudVision WiFi cloud service delivery
CloudVision eXchange, virtual or physical appliance
CloudVision Portal, virtual appliance or physical appliance
CloudVision as-a-Service
CloudVision AGNI
Arista 7130 Systems running MOS
Arista Converged Cloud Fabric and DANZ Monitoring Fabric (Formerly Big Switch Nodes for BCF and BMF)
Arista Network Detection and Response (NDR) Security Platform (Formerly Awake NDR)
Arista Edge Threat Management - Arista NG Firewall and Arista Micro Edge (Formerly Untangle)
CVE-2023-3646 Is tracked by BUG829136. In order to be vulnerable to the CVE a system must already be impacted by BUG765111, which is a non CVE known issue. In order to be impacted by BUG765111, the following conditions must be met:
Mirroring to multiple destinations must be configured:
switch(config)#show monitor session
Session s1
------------------------
Sources:
Both Interfaces: Et1/1
Destination Ports:
Et9/1 : active
Et10/1 : active
In the above example two destinations, Et9/1 and Et10/1, are configured.
Mirroring config must be added with mirror destination being ethernet port, example:
switch # show running-config | section monitor
monitor session APCON destination Ethernet54/1
In the above example the argument after destination is an Ethernet port.
This vulnerability may lead to a kernel panic and cause system reload.
The following kernel message would appear in the output of “show reload cause” or the kernelcrash log (i.e. /mnt/flash/debug/kernelcrash.last, this requires bash access) which indicates the issue:
[ 4733.949388] BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
[ 4734.043395] PGD 0 P4D 0
[ 4734.043399] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 4734.043403] CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: P O 4.19.142.Ar-28837868.4283M #1
[ 4734.043404] Hardware name: Arista Woodpecker/Woodpecker, BIOS Aboot-norcal9-9.0.3-4core-14223577 11/13/2019
[ 4734.043413] RIP: 0010:fab_sand_hdrinfo+0x226a/0x2f92 [sand_dma]
[ 4734.043415] Code: 00 00 8b 85 a0 fd ff ff 2d ff 03 00 00 83 f8 0f 76 2e 66 83 3d 1a b0 0c 00 00 74 4f 48 8b b5 f8 fd ff ff 48 8b 85 f8 fd ff ff <8a> 5e 01 0f b6 00 89 da c1 e0 02 c0 ea 06 83 e0 0c 0f b6 d2 09 d0
[ 4734.043416] RSP: 0018:ffff888fee2836c0 EFLAGS: 00010202
[ 4734.043418] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888c180ac08f
[ 4734.043419] RDX: ffffffffa0335330 RSI: 0000000000000000 RDI: ffff888c180ac078
[ 4734.043421] RBP: ffff888fee283990 R08: 00000000010001c0 R09: 0000000000000000
[ 4734.043422] R10: 000ffffffffff000 R11: ffff888e7a1841d0 R12: ffff888c180ac082
[ 4734.043423] R13: 000000000000002c R14: ffff888fee283ce0 R15: ffff888cc078b500
[ 4734.043425] FS: 0000000000000000(0000) GS:ffff888fee280000(0000) knlGS:0000000000000000
[ 4734.043426] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 4734.043427] CR2: 0000000000000001 CR3: 0000000ed1520000 CR4: 00000000001406e0
[ 4734.043429] Call Trace:
[ 4734.043431] <IRQ>
[ 4734.043437] ? ip_route_input_slow+0x45b/0x9f8
[ 4734.043442] ? ip_route_input_rcu+0x1e0/0x209
[ 4734.043445] ? skb_free_head+0x28/0x2a
...
[ 4734.043638] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 4734.043639] CR2: 0000000000000001 CR3: 0000000ed1520000 CR4: 00000000001406e0
[ 4734.043641] Kernel panic - not syncing: Fatal exception in interrupt
[ 4734.119914] Kernel Offset: disabled
[ 4734.161753] panic_event_handler: unable to lock eeprom
The above log lines indicate that sand-dma caused a kernel panic. These logs will be present after reboot.
To determine if BUG765111 is impacting the system:
Run the following CLI command:
#platform fap <fapName> diag dump chg ETPPA_PER_PORT_TABLE 0 1
If neither “**PRP_CONTEXT_PORT_PROFILE=1” nor “FWD_CODE_PORT_PROFILE=2”**are present then BUG765111 is impacting the system and it is possible for CVE-2023-3646 to occur.
Example of a system not impacted by BUG765111:
#platform fap Fap0 diag dump chg ETPPA_PER_PORT_TABLE 0 1
Fap0 diag dump chg ETPPA_PER_PORT_TABLE 0 1:
ETPPA_PER_PORT_TABLE.ETPPA0[0]: <**PRP_CONTEXT_PORT_PROFILE=1**,PORT_EM_ACC_CMD=8,LLVP_PROFILE=1,**FWD_CODE_PORT_PROFILE=2**,ECC=0x28,>
Example of a system impacted by BUG765111:
#platform fap Fap0 diag dump chg ETPPA_PER_PORT_TABLE 0 1
Fap0 diag dump chg ETPPA_PER_PORT_TABLE 0 1:
ETPPA_PER_PORT_TABLE.ETPPA0[0]: <PORT_EM_ACC_CMD=8,LLVP_PROFILE=1,ECC=0x2b,>
HerePRP_CONTEXT_PORT_PROFILE=1 andFWD_CODE_PORT_PROFILE=2arenot present which indicates the system is impacted by BUG765111.
The suggestion to prevent this issue is to remove any mirroring config
#show monitor session
No sessions created
This example confirms that the system does not have any mirroring config present which will prevent this issue from occurring.
The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.
For more information about upgrading see EOS User Manual: Upgrades and Downgrades
CVE-2023-3646 has been fixed in the following releases:
The following hotfix can be applied to remediate CVE-2023-3646. The hotfix only applies to the releases listed below and no other releases. All other versions require upgrading to a release containing the fix (as listed above):
Note: Installing/uninstalling the Hotfix will result in a restart of the SandFapNi agent and an associated reprogramming of the switch chip. This process could result in outages from 5-20 minutes, depending on the number of active ports in the particular system.
To determine which hotfix to use, run “show version” from the CLI and refer to the “Architecture” Field.
Version: 1.0
URL: SecurityAdvisory88_CVE-2023-3646_Hotfix_i686.swix
SWIX hash:(SHA-512)
9c01d1bc1d657879e1a1b657a8c0dab090d589efc3f2c64e9cac1ae0356fce14496809893bffb0892b1505f8b4ee25cad0064bd7315ba6737dc5fdb200539f1a
URL: SecurityAdvisory88_CVE-2023-3646_Hotfix_x86_64.swix
SWIX hash:(SHA512)
98e98c2c34f81df4da3e4068ac9a81191f4c6ef1acab884972d092c79a7495e00d9a25c8713620d3e25b4699f777810a627634eb8078dcbbb19317ed27a9b0d5
For instructions on installation and verification of the hotfix patch, refer to the “managing eos extensions” section in the EOS User Manual. Ensure that the patch is made persistent across reboots by running the command ‘copy installed-extensions boot-extensions’.
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502 ; 866-476-0000
Contact information needed to open a new service request may be found at: https://www.arista.com/en/support/customer-support