Security Advisory 0007
Date: October 20th 2014
Revision | Date | Changes |
---|---|---|
1.0 | October 20th 2014 | Initial release |
SSLv3 is vulnerable to potential man in the middle attacks (CVE-2014-3566)
On October 14th, Arista became aware of a vulnerability in the Secure Sockets Layer version 3 (SSLv3) protocol which has been assigned CVE-2014-3566 and commonly referred to as “POODLE”. POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt cipher text using a padding oracle side-channel attack. More details are available in the public advisory.
Current clients negotiate TLS by default, but they may fall back to SSLv3 if the negotiation to use TLS has failed. An attacker performing an MITM attack could trigger a protocol downgrade to SSLv3 and by exploiting this vulnerability decrypt a subset of the communication.
This affects the versions of SSLv3 protocol that was used in EOS version 4.12.0 through 4.12.7.1 and 4.13.0 through 4.13.6. Other versions of EOS are not affected. Additionally this vulnerability only affects systems with Arista eAPI enabled with https transport.
Exploiting this vulnerability is not easily accomplished. Man-in-the-middle attacks require large amounts of time and resources. While the likelihood is low, Arista recommends implementing only TLS to avoid flaws in SSL. The latest releases of EOS include patches for this vulnerability. A software patch (RPM extension) is available that addresses the vulnerability for releases that are affected as below:
Releases affected | Releases not affected | Releases fixed |
---|---|---|
4.12.0 through 4.12.7.1 | 4.10.x all releases | 4.12.8 or later |
4.13.0 through 4.13.6 | 4.11.x all releases | 4.13.7 or later |
Earlier releases are unaffected | 4.14.0 or later |
BugID 83779 addresses the issue.
All models of the Arista 7000 Series of fixed and modular systems are affected.
Workaround:
To mitigate this issue customers should ensure servers are running remediated versions of OpenSSL or alternate SSL solutions. In addition until switches are running the remediated version of EOS, eAPI can be temporarily disabled.
Verification:
To determine if the version of EOS is vulnerable use the following steps. Access the bash prompt:
switch# bash
-bash-4.1#
Copy and paste the following script:
echo | timeout 3 openssl s_client -connect 127.0.0.1:443 >/dev/null 2>&1; if [[ $? != 0 ]]; then echo "UNKNOWN: 127.0.0.1 timeout or connection error"; else echo | openssl s_client -connect 127.0.0.1:443 -ssl3 2>&1 | grep -qo "sslv3 alert handshake failure" && echo "OK: 127.0.0.1 Not vulnerable" || echo "FAIL: 127.0.0.1 vulnerable; sslv3 connection accepted"; fi
If the output of the above command contains
“OK: 127.0.0.1 Not vulnerable”
then your system is not vulnerable.
If the output of the above command contains
“FAIL: 127.0.0.1 vulnerable; sslv3 connection accepted”
then your system is vulnerable.
If you receive
“UNKNOWN: 127.0.0.1 timeout or connection error"
then eAPI is not running or is running on a non-default port. If eAPI is running with a non- default port number modify the script replacing 443 with the port number in use.
Resolution:
The resolution to this issue is through upgrading to a version of EOS that already contains the resolution or through the installation of a patch.
Download URL for patch: secAdvisory0007.swix
Instructions to install the patch for Security Advisory 0007
The extension is applicable for EOS versions 4.12.0 - 4.12.7.1, 4.13.0 - 4.13.6 inclusive.
Step 1. Copy the file secAdvisory0007.swix to the extension partition of the Arista switch using any of the supported file transfer protocols:
switch#copy scp://This email address is being protected from spambots. You need JavaScript enabled to view it./home/arista/secAdvisory0007.swix extension:
Step 2. Ensure that the file has been copied to the extensions partition and verify the checksum of the copied file:
switch#show extensions
To verify the extension, compare the following sha512 or md5 checksum with the output of the verify command:
sha512sum: 59d3eac06ad9670b94431d569e100165d6d831c0c92dbe72130db7ab81b24e25a68c2af277de5386724405dd9d79e168c9156b4cc6a532fecabf18caf7548160
md5sum:
3cca393084e6d51e794f04d65f23c389
verify commands:
switch#verify /sha512 extension:secAdvisory0007.swix verify /sha512 (extension:secAdvisory0007.swix) = 59d3eac06ad9670b94431d569e100165d6d831c0c92dbe72130db7ab81b24e25a68c2af277de5386724405dd9d79e168c9156b4cc6a532fecabf18caf7548160
switch#verify /md5 extension:secAdvisory0007.swix verify /md5 (extension:secAdvisory0007.swix) = 3cca393084e6d51e794f04d65f23c389
Step 3. The patch is installed as an extension, and upon installation into a live system will automatically install with the following behavior:
switch#extension secAdvisory0007.swix
All modular switches with dual supervisors require the extension copying and installing on both supervisors.
Verify that the extension has been installed:
switch#show extensions
Step 4. Post installation, eAPI will be restarted and will be unavailable for a few seconds, and all existing connections will be dropped.
Step 5. Make the extension persist across reboots:
switch#copy installed-extensions boot-extensions
Copy completed successfully.
switch#show boot-extensions
secAdvisory0007.swix
Verification of the fix after resolution:
switch# bash
-bash-4.1#
Paste the following script
echo | timeout 3 openssl s_client -connect 127.0.0.1:443 >/dev/null 2>&1; if [[ $? != 0 ]]; then echo "UNKNOWN: 127.0.0.1 timeout or connection error"; else echo | openssl s_client -connect 127.0.0.1:443 -ssl3 2>&1 | grep -qo "sslv3 alert handshake failure" && echo "OK: 127.0.0.1 Not vulnerable" || echo "FAIL: 127.0.0.1 vulnerable; sslv3 connection accepted"; fi
The following is the expected output:
OK: 127.0.0.1 Not vulnerable
This will only succeed if eAPI is enabled with protocol https enabled.
Note:
- Attempting to install the patch to a system that has the patch applied, is not affected or is not running eAPI does not cause any system impact.
- Upgrading the EOS version to a fixed version will result in the patch not being installed, as the system will correctly determine that the patch is not required.
Arista Networks PSIRT team monitors industry-wide vulnerability reporting and is committed to addressing any additional potential threats.
References:
For More Information on Vulnerability please visit:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
For More Information:
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
Open a Service Request:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502
866-476-0000