Security Advisory 0061
Date: January 19th, 2021
|1.0||January 19th, 2021||Initial Release|
The CVE-IDs tracking this issue are: CVE-2020-25684, CVE-2020-25685, CVE-2020-25686
CVSSv3.1 scores and vectors are as follows:
- CVE-2020-25684: 4.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
- CVE-2020-25685: 4.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
- CVE-2020-25686: 4.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
This advisory documents the impact of a vulnerability in Arista’s EOS software. Affected software releases are listed below.
Various issues with dnsmasq may result in the dns cache being poisoned by a malicious attacker. The impact is that other clients querying the EOS switch as a DNS server would receive invalid DNS records. This requires an optional configuration to be set in EOS to allow using the EOS switch as a DNS server. This issue may also be known as “DNSPooq” or “ICS-VU-668462” from different sources.
This is an externally found vulnerability and is released as part of a coordinated effort with CERT and dnsmasq.
- 4.25.1F and below releases in the 4.25.x train
- 220.127.116.11M and below releases in the 4.24.x train
- 4.23.6M and below releases in the 4.23.x train
- 18.104.22.168F and below releases in the 4.22.x train
- 4.21.13M and below releases in the 4.21.x train
This vulnerability affects all EOS products including the 7xxx and 7xx Series switches and routers, and all CloudEOS packaging options.
The following products are not affected *:
- Arista 7130 Systems running MOS
- Arista Converged Cloud Fabric and DANZ Monitoring Fabric (Formerly Big Switch Nodes for BCF and BMF)
- Arista Wireless Access Points
- CloudVision WiFi (on-premise and cloud service delivery)
- CloudVision Portal, virtual appliance or physical appliance
- CloudVision eXchange, virtual appliance or physical appliance
- CloudVision as-a-Service
* Please note that some Arista products allow customization of native Linux features beyond the scope of typical product usage. We recommend checking these systems to ensure DNS Proxy is not enabled.
In order to be vulnerable, the EOS device must be acting as a DNS server accessible to external devices. This is controlled by the “ip domain proxy” CLI command. This command must be enabled for the device to be vulnerable.
If the device is vulnerable, DNS queries may be altered from their intended upstream values. The only way to determine this is to query for the values using a validation tool and check that they have not been altered from their origin records.
If an EOS upgrade to the remediated version is not feasible, a hotfix patch is available as mitigation against this vulnerability.
The patch can be installed as an EOS extension and is applicable across all affected EOS versions. Installing the patch is briefly disruptive to DNS queries (less than 5 seconds), both externally to the switch and for internal switch services. Installing the patch is non-disruptive to non DNS based control plane traffic and data plane traffic.
For instructions on installation and verification of the hotfix patch, refer to this section in the EOS User Manual: https://www.arista.com/en/um-eos/eos-section-6-6-managing-eos-extensions. Ensure that the patch is made persistent across reboots by running the command ‘copy installed-extensions boot-extensions’.
- Patch file download URL: SecurityAdvisory0061Hotfix.swix
- Sha512sum: f8ddd62583251f9e2863086f188acfd7a729cca4cab91b650ba77b8281e7b353d582cab58ce593f90d4653b356a51aeafe8610e0741bb536b15c634d3f430da0
This vulnerability is tracked by Bug 547813. The recommended resolution is to upgrade to a remediated EOS version.
The vulnerability is not currently fixed in any released versions of EOS. As new versions of EOS come out with the fix, a list will be updated below with those release numbers. Fixes will arrive in the 4.21, 4.22, 4.23, 4.24, and 4.25 release trains.
For More Information
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
Open a Service Request:
Please visit https://www.arista.com/en/support/customer-support for up to date information on how to open a service request via email or telephone.