Security Advisory 0029
Date: May 15th, 2017
|1.0||May 15th, 2017||Initial release|
Affected Platforms: All EOS platforms
Affected Software Version: All EOS releases prior to 4.18.1F. The list of affected releases is documented in Table-2.
The CVE-ID tracking this issue is CVE-2017-8231
CVSS v2: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CVSS v3: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L )
Impact: This advisory is to document a security vulnerability that affects Arista products. The switch’s Rib agent can restart when processing an MPBGP update containing a malformed value for a certain specific attribute. Such MPBGP updates are not expected to be received in typical production environments and have to be crafted and sent with the malformed values by a malicious BGP speaker.
Bug188148 and Bug190872 tracks the two potential crashes that can be caused by this vulnerability.
It is recommended to configure static BGP neighbors with strong BGP authentication keys to protect against unauthorized BGP peers in sending malformed BGP packets.
Bug188148 and Bug190872 are fixed in SW version 4.18.1.
NOTE: This vulnerability was identified internally by Arista Networks and Arista has not received evidence of this being exploited, as of the date of this update.
AFFECTED EOS RELEASES:
Table-2: Affected EOS releases
|4.18||4.17||4.16||4.15||Older release trains|
All releases in 4.14
All releases in 4.13
All releases in 4.12
All releases in 4.11
All releases in 4.10
All releases in 4.9
All releases in 4.8
All releases in 4.7
All releases in 4.6
All releases in 4.5
All release trains older than 4.5
For More Information:
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
Open a Service Request:
By telephone: 408-547-5502