CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.1%
Date: July 8, 2024
Revision | Date | Changes |
---|---|---|
1.0 | July 8th, 2024 | Initial release |
The CVE-ID tracking this issue: CVE-2024-6387
CVSSv3.1 Base Score: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Arista Networks is providing this security update in response to the OpenSSH security vulnerability CVE-2024-6387, named regreSSHion.
The vulnerability involves a signal handler race condition that can lead to a potential unauthenticated remote code execution in OpenSSH’s server (sshd) in glibc-based Linux systems that grants full root access. It affects the default configuration and does not require user interaction, posing a significant exploit risk.
Affected OpenSSH Versions:
Arista Product Security Incident Response Teams are aware of, and are urgently investigating our product suites exposure to this issue. A current list of affected products is included below and Arista will update this advisory with information pending ongoing assessment.
The following products are NOT affected by CVE-2024-6387:
Enable SSH service ACLs to limit SSH access to minimize the attack risks.
ip access-list allowHosts4
10 permit ip host <ipv4 address> any
ipv6 access-list allowHosts6
10 permit ipv6 host <ipv6 address> any
management ssh
ip access-group allowHosts4 in
ipv6 access-group allowHosts6 vrf RED in
For more information about SSH service ACLs see Configuring Service ACLs and Displaying Status and Counters.
This workaround is to restrict SSH access to the AP from known IPs by defining the whitelist on
CV-CUE, Configure –> Device –> AccessPoints –> General –> Enable SSH IP Allow List
The workaround is to set LoginGraceTime to 0 to fix the signal handler race condition in OpenSSH.
Note: The LoginGraceTime mitigation has a side effect of removing protection from the malicious attackers attempting to tie up server resources by opening connections and leaving them idle indefinitely. This could lead to a denial-of-service (DoS) condition where legitimate users cannot connect because server resources are exhausted.
If such a DoS is attempted, ACLs should be added on the device or its connected switches and firewalls to limit the sources of malicious traffic until an upgrade to a patched release can be deployed.
switch(config)#management ssh
switch(config-mgmt-ssh)#no login timeout
The NDR ops team has deployed the OpenSSH timeout configuration change that mitigates the issue to all vulnerable managed appliances.
No user configuration is required.
There are no fixes presently available for affected products.
There are no fixes presently available for affected products.
There are no fixes presently available for affected products.
The following hotfix can be applied to remediate CVE-2024-6387. The hotfix only applies to the releases listed below and no other releases. All other versions require upgrading to a release containing the fix (as listed above) or applying the mitigation as a temporarily fix.
Note: Installing/uninstalling the SWIX will cause the SuperServer agent to restart, services may be unavailable for up to one minute. The existing session should not get interrupted but it’s suggested to re-login after the hotfix installation.
Arista EOS-based products
Version: 1.0
URL: https://www.arista.com/support/advisories-notices/sa-download/?sa100-SecurityAdvisoryTamalpaisHotfix.swix
SWIX hash:(SHA512)
7766e19fa5ea607af77272c1a8363c7c9c10140cb7a7f99f6bc674b0bc91b808a571f600830856033a55751580e30519640fe1a9583a1a6aebec86d184ec8f7f
For instructions on installation and verification of the hotfix patch, refer to the “managing eos extensions” section in the EOS User Manual. Ensure that the patch is made persistent across reboots by running the command ‘copy installed-extensions boot-extensions’.
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
Contact information needed to open a new service request may be found at:
https://www.arista.com/en/support/customer-support
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.1%