Security Advisory 0037 .CSAF
Date: August 14th, 2018
Last Updated: March 25th, 2019
|1.0||August 14, 2018||Initial Release|
|1.1||March 25, 2019||Updated with Remediated versions|
The CVE-ID tracking this issue is CVE-2018-5391
CVSS v2: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
On August 14th, 2018, information was released about a denial of service vulnerability where a crafted IP fragment ordering or overlap can allow an attacker to consume much more memory than defined in the Linux kernel settings.
Arista EOS, vEOS, CloudVision Portal, and CloudVision Appliance are affected products. Affected versions, mitigation, and resolution are documented in the following sections.
Vulnerability Assessment for EOS and vEOS Router:
Affected EOS versions:
EOS releases with Linux kernel version 3.18 are susceptible to this vulnerability. Affected releases are listed below. The release trains prior to EOS-4.20 run version 3.4 of the Linux kernel which is not vulnerable to this CVE.
This vulnerability is in the Linux kernel and hence affects all platforms running the affected EOS releases.
Affected vEOS Router versions:
Symptoms of the exploit are similar to that of high memory consumption on a device. As a result of the increased memory consumption, the system exhibits symptoms that may include alerts for high memory utilization on monitoring tools, an Out Of Memory (OOM) condition on the system resulting in EOS agents restarts as they are unable to reserve sufficient memory.
The following symptoms are a result of high memory usage in EOS:
- High memory usage (show proc top memory)
- Restart of agents consuming high memory (show logging system)
- OOM condition for agents unable to reserve memory for functioning (show logging all)
- Packet forwarding issues and/or network protocols being impacted, depending on the memory lock-up and memory requirement of the device
Typically, a system running EOS is not expected to receive a large number of IP fragments. As a result a major symptom would be any system receiving lots of fragments (unless TCP/UDP MTU discovery is disabled or broken somewhere in the network).
The number of IP fragments received by the kernel can be retrieved, per VRF, using the command: show kernel ip counters| grep 'reassemblies required’
It is recommended to install this patch on affected versions of EOS/vEOS to safeguard against this vulnerability.
Patch file download URL: SecurityAdvisory0037Hotfix.swix
sha256 sum is:
- This hotfix is version agnostic (i.e. can be installed on any affected version)
- The patch installation is hitless and a reload of the switch is not required for the patch to take effect
Instructions to install the patch:
- Download the patch file and copy the file to the extension partition of the switch using one of the supported file transfer protocols:
switch#copy scp://10.10.0.1/SecurityAdvisory0037Hotfix.swix extension: switch#verify /sha256 extension:SecurityAdvisory0037Hotfix.swix
- Verify that the checksum value returned by the above command matches the provided SHA256 checksum for the file
- Install the patch using the extension command. The patch takes effect immediately at the time of installation.
- Verify that the patch is installed using the following commands:
switch#show extensions Name Version/Release Status Extension ---------------------- -------------------- ----------- --------- SecurityAdvisory0037Hotfix.swix 1.0.0/eng A, I 1
- Make the patch persistent across reloads. This ensures that the patch is installed as part of the boot-sequence. The patch will not install on EOS versions with the security fix.
switch#copy installed-extensions boot-extensions switch#show boot-extensions SecurityAdvisory0037Hotfix.swix
- For dual supervisor systems run the above copy command on both active and standby supervisors:
switch(s1)#copy installed-extensions boot-extensions switch(s2-standby)#copy installed-extensions boot-extensionsAdditionally, it is always recommended to follow security best practices to protect the control plane by using access lists to restrict access to trusted hosts.
Bug 280955 tracks this vulnerability for EOS and vEOS. The fix for CVE-2018-5391 is available EOS versions 18.104.22.168F, 4.20.9M, 4.21.1F and later releases.
Please install the provided hotfix as a mitigation until the remediated versions are available.
Vulnerability assessment for CloudVision Portal
Affected CloudVision Portal versions:
|All shipping versions of CloudVision Appliance are affected (1.0.0, 1.2.0, 2.0.0)|
Symptoms of the exploit are similar to that of high memory consumption. Alerts for low available memory and process restarts may be observed as a result of OOM (Out of Memory) condition. This may also manifest as sluggish or slow response from the user interface while using CloudVision Portal.
Follow best practices to ensure that the application or host is not accessible over the internet and access is restricted to a trusted set of IP addresses or a subnet. Monitor memory usage of the Operating System hosting the CloudVision Portal. Recommendation is to upgrade to the remediated version of CVP.
Bug 282178 tracks this issue for CloudVision Portal. The fix will be available in the following version of CloudVision Portal:
More information on CVE-2018-5391 can be found here:
For More Information:
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
Open a Service Request:
By telephone: 408-547-5502