Date: August 15th, 2016
|1.0||August 15th, 2016||Initial release|
|1.1||September 15th, 2016||Updated to include fixed software versions|
Arista Products vulnerability report for security vulnerability CVE-2016-5696 that was released in August, 2016
A problem was identified with the Linux kernel implementation in which the rate of TCP challenge ACK segments were not properly determined in Linux kernel versions prior to 4.7. This allows potential attackers to RST valid connections, as well as inject data on unencrypted connections. This advisory reports the vulnerability assessment for Arista products.
CVE-2016-5696 (TCP off-path attack):
|Affected Platforms||All Arista platforms|
|CVSS Scores||CVSS v3 Base Score: 5.9 Medium
CVSS v2 Base Score: 4.3 MEDIUM
|Resolution||Bug166604 tracks this vulnerability for EOS and CloudVision eXchange. A hotfix is available to mitigate this issue but should not be considered a full fix. A software fix is available in 4.16.8M and will be available in the next releases for the 4.15 and 4.17 EOS trains. This advisory will be continue to be updated with the exact software versions once available.
Bug166719 tracks this vulnerability for CloudVision Portal. The complete fix will be available in version 2016.1.2
AFFECTED EOS RELEASES:
Table-1: Affected EOS releases
This vulnerability can be exploited only if the attacker can make a legitimate TCP connection. The following recommended best practices for Arista products can help prevent this attack:
A hotfix is available for the affected EOS versions that mitigates the issue to a certain extent but should not be considered as the full fix. The hotfix is a single file that can be a installed on any of the affected EOS releases and is non-disruptive to traffic through the switch.
File URL: security-advisory-0023-mitigation.swix
Steps to install the hotfix:
switch#copy scp://10.10.1.1/security-advisory-0023-mitigation.swix extension: switch#verify /sha512 extension:security-advisory-0023-mitigation.swixVerify that the checksum value returned by the above command matches the provided SHA512 checksum for the file
switch(s1)(config)#copy extension:security-advisory-0023-mitigation.swix supervisor-peer:/mnt/flash/ switch(s2-standby)#copy flash:security-advisory-0023-mitigation.swix extension:
switch#extension security-advisory-0023-mitigation.swixOn modular systems with dual supervisors, the patch has to be installed on the active and standby supervisors:
switch(s1)#extension security-advisory-0023-mitigation.swix switch(s2-standby)#extension security-advisory-0023-EOS-mitigation.swix
sq321-22:07:53#show extensions Name Version/Release Status extension -------------------------- ------------------------- ------ -------- security-advisory-0023-mitigation.swix 2.7.0/3431682.erahneostru A,I 1
switch#copy installed-extensions boot-extensions switch#show boot-extensions security-advisory-0023-mitigation.swixFor dual supervisor systems run the above copy command on both active and standby supervisors:
switch(s1)#copy installed-extensions boot-extensions switch(s2-standby)#copy installed-extensions to boot-extensions
The patch can be uninstalled using the command:
switch#no extension security-advisory-0023-mitigation.swix switch#copy installed-extensions boot-extensions
On modular systems with dual supervisors, the above commands have to be run on the active and standby supervisor. Before upgrading to a release with the complete fix, it is recommended to uninstall the mitigation hotfix using the above commands.
Mitigation for CloudVision Porta and CloudVision Appliance:A script is available for the affected versions that mitigates the issue to a certain extent but should not be considered as the full fix. The script is applicable to CloudVision Portal VM deployments and the CloudVision Appliance and the installation of the script is non-disruptive to the server operations.
Steps to install the script:
Chmod +x security-advisory-0023-cvp-cva-mitigation.sh
sudo ./security-advisory-0023-cvp-cva-mitigation.sh Patch applied successfully!The script ensures that the hotfix is persistent across system reboots.
For more information visit:
For More Information:
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
Open a Service Request:
By email: firstname.lastname@example.org
By telephone: 408-547-5502