CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
9.1%
Date: June 25, 2024
Revision | Date | Changes |
---|---|---|
1.0 | June 25, 2024 | Initial release |
The CVE-ID tracking this issue: CVE-2024-4578
CVSSv3.1 Base Score: 8.4 (CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
Common Weakness Enumeration: CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
This vulnerability is being tracked by BUG948397
This Advisory describes an issue that impacts Arista Wireless Access Points. Any entity with the ability to authenticate via SSH to an affected AP as the “config” user is able to cause a privilege escalation via spawning a bash shell. The SSH CLI session does not require high permissions to exploit this vulnerability, but the config password is required to establish the session. The spawned shell is able to obtain root privileges.
This issue was reported by an external source. Arista is not aware of any malicious uses of this issue in customer networks.
Arista would like to acknowledge and thank David Miller from cyllective AG (https://cyllective.com) for responsibly reporting CVE-2024-4578.
Wi-Fi Access Point Software:
The following products are affected by this vulnerability:
The following product versions and platforms are not affected by this vulnerability:
Arista EOS-based products:
CloudVision CUE, virtual appliance or physical appliance
CloudVision CUE cloud service delivery
CloudVision eXchange, virtual or physical appliance
CloudVision Portal, virtual appliance or physical appliance
CloudVision as-a-Service
CloudVision AGNI
Arista 7130 Systems running MOS
Arista Converged Cloud Fabric and DANZ Monitoring Fabric (Formerly Big Switch Nodes for BCF and BMF)
Arista Network Detection and Response (NDR) Security Platform (Formerly Awake NDR)
Arista Edge Threat Management - Arista NG Firewall and Arista Micro Edge (Formerly Untangle)
Arista NetVisor OS, Arista NetVisor UNUM, and Insight Analytics (Formerly Pluribus)
In order to be vulnerable to CVE-2024-4578, the following condition must be met:
The user must have knowledge of the config shell password to gain initial access.
A list of all commands executed is saved in /var/log/cli.log file. The logs can be viewed by generating a debug bundle and viewing the var/log/cli.log file within the generated debug bundle.
cat /var/log/cli.log
2024.06.08 00:09:38.052413 INFO cli (cli.-.load_commands_from_yaml) (9494:9494): Took 31770831 ns to load commands
An example of this issue being exploited is not included above since that could reveal excessive information. Admins reviewing /var/log/cli.log should look for instances of bash shell code commands being run as a part of CLI commands.
To mitigate the attack, configure a strong config shell password and share the password only with admin and/or trusted parties.
Arista recommends customers move to the latest version of each release that contains all the fixes listed below:
CVE-2024-4578 has been fixed in the 13.x and 16.x release trains, as follows:
For more information about upgrading WiFi AP Software, please see Upgrade Server and Upgrading Firmware of Wi-Fi Access Points with On-Premises Wireless Manager
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502 ; 866-476-0000
Contact information needed to open a new service request may be found at: https://www.arista.com/en/support/customer-support