Bug280955

Security Advisory 0037 Security Advisory Security Advisory 0037 draft 1.0 1 2018-08-14T12:00:00+00:00 Initial Release 2018-08-14T12:00:00+00:00 2018-08-14T12:00:00+00:00 Arista CVRF Generator 2018-10-15T13:42:09 EOS-4.20.5.1F EOS-4.20.0 EOS-4.20.1 EOS-4.20.2 EOS-4.20.2.1 EOS-4.20.3 EOS-4.20.4 EOS-4.20.4.1 EOS-4.20.5 EOS-4.20.5.2 EOS-4.20.6 EOS-4.20.7 EOS-4.20.8 EOS-4.21.0 CVRF-CVP-2016.1.1 CVRF-CVP-2016.1.0 CVRF-CVP-2015.1.2 CVRF-CVP-2015.1.1 CVRF-CVP-2016.1.2 CVRF-CVP-2016.1.2.1 CVRF-CVP-2016.1.2.3 CVRF-CVP-2017.1.0 CVRF-CVP-2017.1.0.1 CVRF-CVP-2017.1.1 CVRF-CVP-2017.1.1.1 CVRF-CVP-2017.2.0 CVRF-CVP-2017.2.1 CVRF-CVP-2017.2.2 CVRF-CVP-2017.2.3 CVRF-CVP-2018.1.0 CVRF-CVP-2018.1.1 CVRF-CVP-2018.1.2 CVRF-CVP-2018.1.2.1 EOS-4.20.6FX-Virtual-Router EOS-4.20.5F-Virtual-Router EOS-4.20.1FX-Virtual-Router Bug280955 Bug280955 2018-08-14T12:00:00+00:00 2018-08-14T12:00:00+00:00 CVE-2018-5391 EOS-4.20.5.1F EOS-4.20.0 EOS-4.20.1 EOS-4.20.2 EOS-4.20.2.1 EOS-4.20.3 EOS-4.20.4 EOS-4.20.4.1 EOS-4.20.5 EOS-4.20.5.2 EOS-4.20.6 EOS-4.20.7 EOS-4.20.8 EOS-4.21.0 EOS-4.20.6FX-Virtual-Router EOS-4.20.5F-Virtual-Router EOS-4.20.1FX-Virtual-Router 2018-08-14T12:00:00+00:00 Symptoms of the exploit are similar to that of high memory consumption on a device. As a result of the increased memory consumption, the system exhibits symptoms that may include alerts for high memory utilization on monitoring tools, an Out Of Memory (OOM) condition on the system resulting in EOS agents restarts as they are unable to reserve sufficient memory. The following symptoms are a result of high memory usage in EOS: High memory usage (show proc top memory) Restart of agents consuming high memory (show logging system) OOM condition for agents unable to reserve memory for functioning (show logging all) Packet forwarding issues and/or network protocols being impacted, depending on the memory lock-up and memory requirement of the device Typically, a system running EOS is not expected to receive a large number of IP fragments. As a result a major symptom would be any system receiving lots of fragments (unless TCP/UDP MTU discovery is disabled or broken somewhere in the network). The number of IP fragments received by the kernel can be retrieved, per VRF, using the command: show kernel ip counters| grep 'reassemblies required’ 2 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C 2018-08-14T12:00:00+00:00 It is recommended to install this patch on affected versions of EOS/vEOS to safeguard against this vulnerability. Patch file download URL: http://www.arista.com/assets/data/SecurityAdvisories/SA37/SecurityAdvisory0037Hotfix.swixsha256 sum is: f3e2c489bcb78f5a5f0afc79ffd8e851064083d6aeaf8b82b24ecfec7d0d15e6 sha512sum is: 5a629438fd9988bb2ad8ece630355a033997200febf723ab531825f33b355c647b14957983fda91a131c6dc1d31f78fc0bee8fb092e6d17d6c9036921f7e6849 Note: This hotfix is version agnostic (i.e. can be installed on any affected version) The patch installation is hitless and a reload of the switch is not required for the patch to take effect Instructions to install the patch: Download the patch file and copy the file to the extension partition of the switch using one of the supported file transfer protocols: switch#copy scp://10.10.0.1/SecurityAdvisory0037Hotfix.swix extension: switch#verify /sha256 extension:SecurityAdvisory0037Hotfix.swix Verify that the checksum value returned by the above command matches the provided SHA256 checksum for the file Install the patch using the extension command. The patch takes effect immediately at the time of installation. switch#extension SecurityAdvisory0037Hotfix.swix Verify that the patch is installed using the following commands: switch#show extensions Name Version/Release Status Extension ---------------------- -------------------- ----------- --------- SecurityAdvisory0037Hotfix.swix 1.0.0/eng A, I 1 Make the patch persistent across reloads. This ensures that the patch is installed as part of the boot-sequence. The patch will not install on EOS versions with the security fix. switch#copy installed-extensions boot-extensions switch#show boot-extensions SecurityAdvisory0037Hotfix.swix For dual supervisor systems run the above copy command on both active and standby supervisors: switch(s1)#copy installed-extensions boot-extensions switch(s2-standby)#copy installed-extensions boot-extensions Additionally, it is always recommended to follow security best practices to protect the control plane by using access lists to restrict access to trusted hosts. http://www.arista.com/assets/data/SecurityAdvisories/SA37/SecurityAdvisory0037Hotfix.swix 2018-08-14T12:00:00+00:00 Bug 280955 tracks this vulnerability for EOS and vEOS. The fix for CVE-2018-5391 will be available in an upcoming release, and this advisory will be updated with the remediated EOS versions. Please install the provided hotfix as a mitigation until the remediated versions are available. https://www.kb.cert.org/vuls/id/641765 More information on CVE-2018-5391 can be found here: https://www.kb.cert.org/vuls/id/641765 Bug282178 Bug282178 2018-08-14T12:00:00+00:00 2018-08-14T12:00:00+00:00 CVE-2018-5391 CVRF-CVP-2016.1.1 CVRF-CVP-2016.1.0 CVRF-CVP-2015.1.2 CVRF-CVP-2015.1.1 CVRF-CVP-2016.1.2 CVRF-CVP-2016.1.2.1 CVRF-CVP-2016.1.2.3 CVRF-CVP-2017.1.0 CVRF-CVP-2017.1.0.1 CVRF-CVP-2017.1.1 CVRF-CVP-2017.1.1.1 CVRF-CVP-2017.2.0 CVRF-CVP-2017.2.1 CVRF-CVP-2017.2.2 CVRF-CVP-2017.2.3 CVRF-CVP-2018.1.0 CVRF-CVP-2018.1.1 CVRF-CVP-2018.1.2 CVRF-CVP-2018.1.2.1 2018-08-14T12:00:00+00:00 Symptoms of the exploit are similar to that of high memory consumption. Alerts for low available memory and process restarts may be observed as a result of OOM (Out of Memory) condition. This may also manifest as sluggish or slow response from the user interface while using CloudVision Portal. 2 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C 2018-08-14T12:00:00+00:00 Follow best practices to ensure that the application or host is not accessible over the internet and access is restricted to a trusted set of IP addresses or a subnet. Monitor memory usage of the Operating System hosting the CloudVision Portal. Recommendation is to upgrade to the remediated version of CVP. 2018-08-14T12:00:00+00:00 The fix will be available in the following version of CloudVision Portal: CloudVisionPortal-2018.2.0 https://www.kb.cert.org/vuls/id/641765 More information on CVE-2018-5391 can be found here: https://www.kb.cert.org/vuls/id/641765 Copyright @ 2018 Arista Networks, Inc. All rights reserved.