Lucene search

AristaCVE-2023-24509

HistoryApr 13, 2023 - 8:15 p.m.

CVE-2023-24509

2023-04-1320:15:08

CWE-269

Arista

web.nvd.nist.gov

310

cve

2023

24509

arista eos

privilege escalation

vulnerability

CVSS3

9.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

Percentile

9.0%

JSON

On affected modular platforms running Arista EOS equipped with both redundant supervisor modules and having the redundancy protocol configured with RPR or SSO, an existing unprivileged user can login to the standby supervisor as a root user, leading to a privilege escalation. Valid user credentials are required in order to exploit this vulnerability.

Affected configurations

Nvd

Node

arista704x3Match-

arista7304xMatch-

arista7304x3Match-

arista7308xMatch-

arista7316xMatch-

arista7324xMatch-

arista7328xMatch-

arista7504rMatch-

arista7504r3Match-

arista7508rMatch-

arista7508r3Match-

arista7512rMatch-

arista7512r3Match-

arista7516rMatch-

arista755xMatch-

arista758xMatch-

arista7804r3Match-

arista7808r3Match-

arista7812r3Match-

arista7816r3Match-

AND

aristaeosRange4.23–4.23.13m

aristaeosRange4.24.0–4.24.11m

aristaeosRange4.25.0–4.25.10m

aristaeosRange4.26.0–4.26.9m

aristaeosRange4.27.0–4.27.7m

aristaeosRange4.28.0–4.28.4m

VendorProductVersionCPE
arista704x3-cpe:2.3:h:arista:704x3:-:*:*:*:*:*:*:*
arista7304x-cpe:2.3:h:arista:7304x:-:*:*:*:*:*:*:*
arista7304x3-cpe:2.3:h:arista:7304x3:-:*:*:*:*:*:*:*
arista7308x-cpe:2.3:h:arista:7308x:-:*:*:*:*:*:*:*
arista7316x-cpe:2.3:h:arista:7316x:-:*:*:*:*:*:*:*
arista7324x-cpe:2.3:h:arista:7324x:-:*:*:*:*:*:*:*
arista7328x-cpe:2.3:h:arista:7328x:-:*:*:*:*:*:*:*
arista7504r-cpe:2.3:h:arista:7504r:-:*:*:*:*:*:*:*
arista7504r3-cpe:2.3:h:arista:7504r3:-:*:*:*:*:*:*:*
arista7508r-cpe:2.3:h:arista:7508r:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
arista	704x3	-	cpe:2.3:h:arista:704x3:-:::::::*
arista	7304x	-	cpe:2.3:h:arista:7304x:-:::::::*
arista	7304x3	-	cpe:2.3:h:arista:7304x3:-:::::::*
arista	7308x	-	cpe:2.3:h:arista:7308x:-:::::::*
arista	7316x	-	cpe:2.3:h:arista:7316x:-:::::::*
arista	7324x	-	cpe:2.3:h:arista:7324x:-:::::::*
arista	7328x	-	cpe:2.3:h:arista:7328x:-:::::::*
arista	7504r	-	cpe:2.3:h:arista:7504r:-:::::::*
arista	7504r3	-	cpe:2.3:h:arista:7504r3:-:::::::*
arista	7508r	-	cpe:2.3:h:arista:7508r:-:::::::*

Rows per page:

1-10 of 211

CNA Affected

[
  {
    "vendor": "Arista Networks",
    "product": "Arista EOS",
    "versions": [
      {
        "version": "4.23.0 4.23.13M",
        "status": "affected"
      },
      {
        "version": "4.28.0",
        "status": "affected",
        "lessThanOrEqual": "4.28.3M",
        "versionType": "custom"
      },
      {
        "version": "4.27.0",
        "status": "affected",
        "lessThanOrEqual": "4.27.6M",
        "versionType": "custom"
      },
      {
        "version": "4.286.0",
        "status": "affected",
        "lessThanOrEqual": "4.26.8M",
        "versionType": "custom"
      },
      {
        "version": "4.25.0",
        "status": "affected",
        "lessThanOrEqual": "4.25.9M",
        "versionType": "custom"
      },
      {
        "version": "4.24.0",
        "status": "affected",
        "lessThanOrEqual": "4.24.10M",
        "versionType": "custom"
      }
    ]
  }
]

References

www.arista.com/en/support/advisories-notices/security-advisory/16985-security-advisory-0082

Social References

CVSS3

9.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for CVE-2023-24509