{ "document": { "category": "security_advisory", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en-US", "publisher": { "category": "vendor", "contact_details": "support@arista.com", "name": "Arista PSIRT", "namespace": "https://www.arista.com" }, "title": "Security Advisory 89", "tracking": { "current_release_date": "2023-08-17T16:21:55Z", "generator": { "engine": { "name": "Arista Networks SecEng Service CSAF Generator" } }, "id": "Arista Networks Security Advisory 89", "initial_release_date": "2023-08-17T16:21:55Z", "revision_history": [ { "date": "2023-08-17T16:21:55Z", "number": "1", "summary": "Document created" } ], "status": "draft", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "EOS version 4.25.1", "product": { "name": "EOS version 4.25.1", "product_id": "CSAFPID-1" } }, { "category": "product_version", "name": "EOS version 4.22.1", "product": { "name": "EOS version 4.22.1", "product_id": "CSAFPID-0" } } ], "category": "product_name", "name": "EOS" } ], "category": "product_family", "name": "Software Products" } ], "category": "vendor", "name": "Arista Networks, Inc." } ] }, "vulnerabilities": [ { "cve": "CVE-2023-24548", "id": { "system_name": "Arista Bug ID", "text": "828687" }, "notes": [ { "category": "description", "text": "On affected platforms running Arista EOS with VXLAN configured, malformed or truncated packets received over a VXLAN tunnel and forwarded in hardware can cause egress ports to be unable to forward packets. ", "title": "CVE Description" }, { "category": "other", "text": "In order to be vulnerable to CVE-2023-24548, the following three conditions must be met:\n\nIP routing should be enabled:\n\nSwitch> show running-config section ip routing\nip routing\n\n\nAND\n\nVXLAN should be configured - a sample configuration is found below:\n\n# Loopback interface configuration\nswitch> show running-config section loopback\ninterface Loopback0\n ip address 10.0.0.1/32\n\n# VXLAN VTEP configuration\nswitch> show running-config section vxlan\ninterface Vxlan1\n vxlan source-interface Loopback0\n vxlan udp-port 4789\n vxlan flood vtep 10.0.0.2\n\n\nAND\n\nVXLAN extended VLAN or VNI must be routable - two examples are shown below: \n\n# Overlay interface\nswitch> show running-config section vlan\nvlan 100\ninterface Ethernet1/1\n switchport access vlan 100\ninterface Vlan100\n ip address 1.0.0.1/24\n\nInterface Vxlan1\n vxlan vlan 100 vni 100000\n\n\nSwitch> show running-config section red\nvrf instance red\nip routing vrf red\n\ninterface Vxlan1\n vxlan vrf red vni 200000\n\n\n\nWhether such a configuration exists can be checked as follows:\n\nswitch> show vxlan vni\nVNI to VLAN Mapping for Vxlan1\nVNI VLAN Source Interface 802.1Q Tag\n------------ ---------- ------------ ----------------- ----------\n100000 100 static Ethernet1/1 untagged\n Vxlan1 100\n\nVNI to dynamic VLAN Mapping for Vxlan1\nVNI VLAN VRF Source\n------------ ---------- --------- ------------\n200000 1006 red evpn\n\n\nswitch> show vlan\nVLAN Name Status Ports\n----- -------------------------------- --------- -------------------------------\n100 VLAN0100 active Cpu, Vx1\n1006* VLAN1006 active Cpu, Vx1\n\n\nswitch> show ip interface brief\n Address\nInterface IP Address Status Protocol MTU Owner\n----------------- --------------------- ------------ -------------- ----------- -------\nVlan100 1.0.0.1/24 up up 1500\nVlan1006 unassigned up up 10168\n\n\nFrom the above outputs, it can be seen that IP routing is enabled, VXLAN is configured, and VNIs 100000 (mapped to VLAN 100) and 200000 (mapped to VRF red) are routable.\nIndicators of Compromise\nThis vulnerability causes egress ports to stop passing traffic. An indication of this issue is that the interface counters for the impacted egress interfaces would no longer increment even if packets are forwarded to those ports.\n\nswitch > show interfaces counters | nz\nPort OutOctets OutUcastPkts OutMcastPkts OutBcastPkts\nEt8/1 139851 0 1137 0\n\n\nWe will also see the DeqDeletePktCnt go up in show hardware counter drop.\n\nswitch > show hardware counter drop | nz\nSummary:\nTotal Adverse (A) Drops: 2033\nTotal Packet Processor (P) Drops: 0\nType Chip CounterName : Count : First Occurrence : Last Occurrence\n--------------------------------------------------------------------------------------------------------------\nA Fap0 DeqDeletePktCnt : 2033 : 2023-04-05 10:09:17 : 2023-04-05 10:10:51 \n\n\nIn addition, protocols that establish neighbor relationships over the affecting port are likely to be affected.\n", "title": "828687: Required Config for Exploitation" } ], "product_status": { "first_affected": [ "CSAFPID-0" ], "fixed": [ "CSAFPID-1" ] }, "references": [ { "category": "external", "summary": "MITRE details", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24548" } ], "remediations": [ { "category": "vendor_fix", "details": "Fixed in EOS version 4.25.1", "product_ids": [ "CSAFPID-1" ] }, { "category": "none_available", "details": "Not fixed in EOS version 4.22.1", "product_ids": [ "CSAFPID-0" ] }, { "category": "mitigation", "details": "There is no known mitigation for the issue. The recommended resolution is to upgrade to a remediated software version at your earliest convenience." } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "CSAFPID-1", "CSAFPID-0" ] } ], "title": "CVE-2023-24548" } ] }