Search criteria
2 vulnerabilities found for EOS - BGP Flowspec by Arista Networks
CVE-2024-6437 (GCVE-0-2024-6437)
Vulnerability from cvelistv5 – Published: 2025-01-10 20:06 – Updated: 2025-01-10 21:12
VLAI?
Title
On affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy -- certain IP traffic such as IPv4 packets with IP options ma
Summary
On affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy -- certain IP traffic such as IPv4 packets with IP options may bypass the feature's set nexthop action and be slow-path forwarded (FIB routed) by the kernel as the packets are trapped to the CPU instead of following the redirect action's destination.
Severity ?
5.8 (Medium)
CWE
- cwe-1220
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Arista Networks | EOS-Policy Based Routing (PBR) |
Affected:
4.32.0F , ≤ 4.32.1F
(custom)
Affected: 4.31.0M , ≤ 4.31.4M (custom) Affected: 4.30.0M , ≤ 4.30.7M (custom) Affected: 4.29.0M , ≤ 4.29.9M (custom) Affected: 4.28.0M , ≤ 4.28.11M (custom) Affected: 4.27.0M , ≤ 4.27.12M (custom) Affected: 4.26.0M , ≤ 4.26.14M (custom) Affected: 4.25.0M , ≤ 4.25.11M (custom) Affected: 4.24.0M , ≤ 4.24.11M (custom) Affected: 4.23.0M , ≤ 4.23.15M (custom) Affected: 4.22.0M , ≤ 4.22.13M (custom) Affected: 4.21.0M , ≤ 4.21.15M (custom) |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6437",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T21:12:08.840985Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T21:12:37.972Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EOS-Policy Based Routing (PBR)",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.32.1F",
"status": "affected",
"version": "4.32.0F",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31.4M",
"status": "affected",
"version": "4.31.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.30.7M",
"status": "affected",
"version": "4.30.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.29.9M",
"status": "affected",
"version": "4.29.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.28.11M",
"status": "affected",
"version": "4.28.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.27.12M",
"status": "affected",
"version": "4.27.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.26.14M",
"status": "affected",
"version": "4.26.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.25.11M",
"status": "affected",
"version": "4.25.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.24.11M",
"status": "affected",
"version": "4.24.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.23.15M",
"status": "affected",
"version": "4.23.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.22.13M",
"status": "affected",
"version": "4.22.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.21.15M",
"status": "affected",
"version": "4.21.0M",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EOS - BGP Flowspec",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.32.1F",
"status": "affected",
"version": "4.32.0F",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31.4M",
"status": "affected",
"version": "4.31.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.30.7M",
"status": "affected",
"version": "4.30.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.29.9M",
"status": "affected",
"version": "4.29.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.28.11M",
"status": "affected",
"version": "4.28.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.27.12M",
"status": "affected",
"version": "4.27.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.26.14M",
"status": "affected",
"version": "4.26.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.25.11M",
"status": "affected",
"version": "4.25.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.24.11M",
"status": "affected",
"version": "4.24.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.23.15M",
"status": "affected",
"version": "4.23.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.22.13M",
"status": "affected",
"version": "4.22.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.21.15M",
"status": "affected",
"version": "4.21.3F",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EOS - Interface Traffic Policy",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.32.1F",
"status": "affected",
"version": "4.32.0F",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31.4M",
"status": "affected",
"version": "4.31.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.30.7M",
"status": "affected",
"version": "4.30.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.29.9M",
"status": "affected",
"version": "4.29.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.28.11M",
"status": "affected",
"version": "4.28.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.27.12F",
"status": "affected",
"version": "4.27.2F",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2024-6437, \u003cb\u003eone\u003c/b\u003e\u0026nbsp;of the following \u003cb\u003ethree\u003c/b\u003e\u0026nbsp;conditions must be met:\u003c/p\u003e\u003ch4\u003ePolicy Based Routing (PBR)\u003c/h4\u003e\u003cp\u003e\u003cb\u003e(1)\u003c/b\u003e\u0026nbsp;A PBR policy must be configured with a rule which redirects to a next hop or set of next hops.\u003c/p\u003e\u003cpre\u003eswitch(config)#show policy-map type pbr\nService policy pmap1\n\u0026nbsp; Configured on: Ethernet20/1\n\u0026nbsp; Applied on: \u0026nbsp; Ethernet20/1\n\u0026nbsp; 10: Single match statement\n\u0026nbsp; \u0026nbsp; Match:\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 0 permit ip any host 10.2.1.1\n\u0026nbsp; \u0026nbsp; Configured actions: set nexthop 10.20.1.1\n\u0026nbsp; \u0026nbsp; Active routing action:\n\u0026nbsp; \u0026nbsp; VRF default\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Route to nexthop 10.20.1.1 default\n\u0026nbsp; 20: Single match statement\n\u0026nbsp; \u0026nbsp; Match:\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 0 permit ip any host 10.3.1.1\n\u0026nbsp; \u0026nbsp; Configured actions: set nexthop 10.20.2.1\n\u0026nbsp; \u0026nbsp; Active routing action:\n\u0026nbsp; \u0026nbsp; VRF default\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Route to nexthop 10.20.2.1 default\n\u0026nbsp; 30: Single match statement\n\u0026nbsp; \u0026nbsp; Match:\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 0 permit ip 10.50.1.0/24 any\n\u0026nbsp; \u0026nbsp; Configured actions: set nexthop 10.20.3.1\n\u0026nbsp; \u0026nbsp; Active routing action:\n\u0026nbsp; \u0026nbsp; VRF default\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Route to nexthop 10.20.3.1 default\n\u0026nbsp; 40: Single match statement\n\u0026nbsp; \u0026nbsp; Match:\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003e0 permit ip any any\u003c/span\u003e\n \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eConfigured actions: set nexthop 10.20.4.1\u003c/span\u003e\n\u0026nbsp; \u0026nbsp; Active routing action:\n\u0026nbsp; \u0026nbsp; VRF default\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Route to nexthop 10.20.4.1 default\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eWith this configuration, any packet that does not match the PBR match rules will fall through and match the \"default\" match-all rule and should get redirected to the next hop \u003cb\u003e10.20.4.1\u003c/b\u003e.\u003c/p\u003e\u003ch4\u003eBGP Flowspec\u003c/h4\u003e\u003cp\u003eOR\u003c/p\u003e\u003cp\u003e\u003cb\u003e(2)\u003c/b\u003e\u0026nbsp;A BGP Flowspec must be configured with a rule which redirects to a next hop or set of next hops.\u003c/p\u003e\u003cpre\u003eswitch#show flow-spec ipv4\nFlow specification rules for VRF default\nConfigured on: Ethernet20/1\nApplied on: Ethernet20/1\n\u0026nbsp; Flow-spec rule: 10.100.0.0/16;*;\n\u0026nbsp; \u0026nbsp; Rule identifier: 1\n\u0026nbsp; \u0026nbsp; Matches:\n\u0026nbsp; \u0026nbsp; \u0026nbsp; Destination prefix: 10.100.0.0/16\n\u0026nbsp; \u0026nbsp; Actions:\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eRedirect: VRF default\u003c/span\u003e\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eRoute via next hop 10.20.4.1\u003c/span\u003e\n\u0026nbsp; \u0026nbsp; Status:\n\u0026nbsp; \u0026nbsp; \u0026nbsp; Installed: yes\n\u0026nbsp; \u0026nbsp; \u0026nbsp; Counter: 0 packets, 0 bytes\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eWith this configuration, all traffic ingressing \u003cb\u003eEthernet20/1\u003c/b\u003e\u0026nbsp;with destination addresses in the \u003cb\u003e10.100.0.0/16\u003c/b\u003e\u0026nbsp;subnet should get redirected to the next hop \u003cb\u003e10.20.4.1\u003c/b\u003e.\u003c/p\u003e\u003ch4\u003eInterface Traffic Policy\u003c/h4\u003e\u003cp\u003eOR\u003c/p\u003e\u003cp\u003e\u003cb\u003e(3)\u003c/b\u003e\u0026nbsp;An interface traffic policy must be configured with a rule that redirects to a next hop or set of next hops.\u003c/p\u003e\u003cpre\u003eswitch#show traffic-policy interface\nTraffic policy foo\n\u0026nbsp; \u0026nbsp;Configured on input of interfaces: Ethernet20/1\n\u0026nbsp; \u0026nbsp;Applied on input of interfaces for IPv4 traffic: Ethernet20/1\n\u0026nbsp; \u0026nbsp;Applied on input of interfaces for IPv6 traffic:\n\u0026nbsp; \u0026nbsp;Applied on input of interfaces for MAC traffic:\n\u0026nbsp; \u0026nbsp;Configured on output of interfaces:\n\u0026nbsp; \u0026nbsp;Applied on output of interfaces for IPv4 traffic:\n\u0026nbsp; \u0026nbsp;Applied on output of interfaces for IPv6 traffic:\n\u0026nbsp; \u0026nbsp;Total number of rules configured: 3\n\u0026nbsp; \u0026nbsp; \u0026nbsp; match rule1 ipv4\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp;Destination prefix: 10.100.0.0/16\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eActions: Redirect next hop 10.20.4.1\u003c/span\u003e\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eActive routing action:\u003c/span\u003e\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eVRF default\u003c/span\u003e\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eRoute via next hop 10.20.4.1 VRF default\u003c/span\u003e\n\u0026nbsp; \u0026nbsp; \u0026nbsp; match ipv4-all-default ipv4\n\u0026nbsp; \u0026nbsp; \u0026nbsp; match ipv6-all-default ipv6\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eWith this configuration, all traffic ingressing \u003cb\u003eEthernet20/1\u003c/b\u003e\u0026nbsp;with destination addresses in the \u003cb\u003e10.100.0.0/16\u003c/b\u003e\u0026nbsp;subnet should get redirected to the next hop \u003cb\u003e10.20.4.1\u003c/b\u003e.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "In order to be vulnerable to CVE-2024-6437, one\u00a0of the following three\u00a0conditions must be met:\n\nPolicy Based Routing (PBR)(1)\u00a0A PBR policy must be configured with a rule which redirects to a next hop or set of next hops.\n\nswitch(config)#show policy-map type pbr\nService policy pmap1\n\u00a0 Configured on: Ethernet20/1\n\u00a0 Applied on: \u00a0 Ethernet20/1\n\u00a0 10: Single match statement\n\u00a0 \u00a0 Match:\n\u00a0 \u00a0 \u00a0 \u00a0 0 permit ip any host 10.2.1.1\n\u00a0 \u00a0 Configured actions: set nexthop 10.20.1.1\n\u00a0 \u00a0 Active routing action:\n\u00a0 \u00a0 VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 Route to nexthop 10.20.1.1 default\n\u00a0 20: Single match statement\n\u00a0 \u00a0 Match:\n\u00a0 \u00a0 \u00a0 \u00a0 0 permit ip any host 10.3.1.1\n\u00a0 \u00a0 Configured actions: set nexthop 10.20.2.1\n\u00a0 \u00a0 Active routing action:\n\u00a0 \u00a0 VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 Route to nexthop 10.20.2.1 default\n\u00a0 30: Single match statement\n\u00a0 \u00a0 Match:\n\u00a0 \u00a0 \u00a0 \u00a0 0 permit ip 10.50.1.0/24 any\n\u00a0 \u00a0 Configured actions: set nexthop 10.20.3.1\n\u00a0 \u00a0 Active routing action:\n\u00a0 \u00a0 VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 Route to nexthop 10.20.3.1 default\n\u00a0 40: Single match statement\n\u00a0 \u00a0 Match:\n\u00a0 \u00a0 \u00a0 \u00a0 0 permit ip any any\n Configured actions: set nexthop 10.20.4.1\n\u00a0 \u00a0 Active routing action:\n\u00a0 \u00a0 VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 Route to nexthop 10.20.4.1 default\n\n\n\u00a0\n\nWith this configuration, any packet that does not match the PBR match rules will fall through and match the \"default\" match-all rule and should get redirected to the next hop 10.20.4.1.\n\nBGP FlowspecOR\n\n(2)\u00a0A BGP Flowspec must be configured with a rule which redirects to a next hop or set of next hops.\n\nswitch#show flow-spec ipv4\nFlow specification rules for VRF default\nConfigured on: Ethernet20/1\nApplied on: Ethernet20/1\n\u00a0 Flow-spec rule: 10.100.0.0/16;*;\n\u00a0 \u00a0 Rule identifier: 1\n\u00a0 \u00a0 Matches:\n\u00a0 \u00a0 \u00a0 Destination prefix: 10.100.0.0/16\n\u00a0 \u00a0 Actions:\n\u00a0 \u00a0 \u00a0 Redirect: VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Route via next hop 10.20.4.1\n\u00a0 \u00a0 Status:\n\u00a0 \u00a0 \u00a0 Installed: yes\n\u00a0 \u00a0 \u00a0 Counter: 0 packets, 0 bytes\n\n\n\u00a0\n\nWith this configuration, all traffic ingressing Ethernet20/1\u00a0with destination addresses in the 10.100.0.0/16\u00a0subnet should get redirected to the next hop 10.20.4.1.\n\nInterface Traffic PolicyOR\n\n(3)\u00a0An interface traffic policy must be configured with a rule that redirects to a next hop or set of next hops.\n\nswitch#show traffic-policy interface\nTraffic policy foo\n\u00a0 \u00a0Configured on input of interfaces: Ethernet20/1\n\u00a0 \u00a0Applied on input of interfaces for IPv4 traffic: Ethernet20/1\n\u00a0 \u00a0Applied on input of interfaces for IPv6 traffic:\n\u00a0 \u00a0Applied on input of interfaces for MAC traffic:\n\u00a0 \u00a0Configured on output of interfaces:\n\u00a0 \u00a0Applied on output of interfaces for IPv4 traffic:\n\u00a0 \u00a0Applied on output of interfaces for IPv6 traffic:\n\u00a0 \u00a0Total number of rules configured: 3\n\u00a0 \u00a0 \u00a0 match rule1 ipv4\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0Destination prefix: 10.100.0.0/16\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0Actions: Redirect next hop 10.20.4.1\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Active routing action:\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Route via next hop 10.20.4.1 VRF default\n\u00a0 \u00a0 \u00a0 match ipv4-all-default ipv4\n\u00a0 \u00a0 \u00a0 match ipv6-all-default ipv6\n\n\n\u00a0\n\nWith this configuration, all traffic ingressing Ethernet20/1\u00a0with destination addresses in the 10.100.0.0/16\u00a0subnet should get redirected to the next hop 10.20.4.1."
}
],
"datePublic": "2024-12-05T19:46:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOn affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy -- certain IP traffic such as IPv4 packets with IP options may bypass the feature\u0027s \u003c/span\u003e\u003cb\u003eset nexthop\u003c/b\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;action and be slow-path forwarded (FIB routed) by the kernel as the packets are trapped to the CPU instead of following the redirect action\u0027s destination.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "On affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy -- certain IP traffic such as IPv4 packets with IP options may bypass the feature\u0027s set nexthop\u00a0action and be slow-path forwarded (FIB routed) by the kernel as the packets are trapped to the CPU instead of following the redirect action\u0027s destination."
}
],
"impacts": [
{
"capecId": "CAPEC-124",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-124 Shared Resource Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "cwe-1220",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T20:06:36.034Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/20689-security-advisory-0108"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version that contains the \u003cb\u003eip software forwarding options action drop\u003c/b\u003e\u0026nbsp;CLI command, and configure the command at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cp\u003eCVE-2024-6437 has been fixed in the following releases:\u003c/p\u003e\u003cul\u003e\u003cli\u003e4.32.2F and later releases in the 4.32.x train\u003c/li\u003e\u003cli\u003e4.31.5M and later releases in the 4.31.x train\u003c/li\u003e\u003cli\u003e4.30.8M and later releases in the 4.30.x train\u003c/li\u003e\u003cli\u003e4.29.10M and later releases in the 4.29.x train\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version that contains the ip software forwarding options action drop\u00a0CLI command, and configure the command at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2024-6437 has been fixed in the following releases:\n\n * 4.32.2F and later releases in the 4.32.x train\n * 4.31.5M and later releases in the 4.31.x train\n * 4.30.8M and later releases in the 4.30.x train\n * 4.29.10M and later releases in the 4.29.x train"
}
],
"source": {
"advisory": "108",
"defect": [
"BUG 962149"
],
"discovery": "EXTERNAL"
},
"title": "On affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy -- certain IP traffic such as IPv4 packets with IP options ma",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eFor all affected systems, the suggested mitigation for all three affected features is to drop all IPv4 options traffic via the \u003cb\u003eip software forwarding options action drop\u003c/b\u003e, available in 4.32.2F and later releases in the 4.32 train, 4.31.5M and later releases in the 4.31 train, and 4.30.8M and later releases in the 4.30 train. The command installs an \u003cb\u003eiptables\u003c/b\u003e\u0026nbsp;rule that drops all IPv4 options traffic in the filter table of the \u003cb\u003eFORWARD\u003c/b\u003e\u0026nbsp;chain.\u003c/p\u003e\u003cpre\u003eswitch(config)#\u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eip software forwarding options action drop\u003c/span\u003e\n \n# Below is shown to illustrate what the rule does. This is not a command that needs to be run.\n \nswitch(config)#bash sudo iptables -vnL EOS_FORWARD\nChain EOS_FORWARD (1 references)\n\u0026nbsp;pkts bytes target \u0026nbsp; \u0026nbsp; prot opt in \u0026nbsp; \u0026nbsp; out \u0026nbsp; \u0026nbsp; source \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; destination\n\u0026nbsp; \u0026nbsp; 0 \u0026nbsp; \u0026nbsp; 0 DROP \u0026nbsp; \u0026nbsp; \u0026nbsp; all -- * \u0026nbsp; \u0026nbsp; * \u0026nbsp; \u0026nbsp; \u0026nbsp; 0.0.0.0/0 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 0.0.0.0/0 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; u32 ! \"0x0\u0026gt;\u0026gt;0x18=0x45\"\n\u0026nbsp; \u0026nbsp; 0 \u0026nbsp; \u0026nbsp; 0 REJECT \u0026nbsp; \u0026nbsp; all -- * \u0026nbsp; \u0026nbsp; fwd+ \u0026nbsp; 0.0.0.0/0 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 0.0.0.0/0 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; u32 ! \"0x0\u0026gt;\u0026gt;0x18=0x45\" reject-with icmp-admin-prohibited\n\u0026nbsp; \u0026nbsp; 0 \u0026nbsp; \u0026nbsp; 0 DROP \u0026nbsp; \u0026nbsp; \u0026nbsp; all -- * \u0026nbsp; \u0026nbsp; ma+ \u0026nbsp; \u0026nbsp; 0.0.0.0/0 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 0.0.0.0/0\n\u0026nbsp; \u0026nbsp; 0 \u0026nbsp; \u0026nbsp; 0 ACCEPT \u0026nbsp; \u0026nbsp; all -- * \u0026nbsp; \u0026nbsp; * \u0026nbsp; \u0026nbsp; !127.0.0.0/8 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; !127.0.0.0/8\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eAdditionally, in 7280R3, 7500R3, and 7800R3 systems, the \u003cb\u003e\u003ci\u003esystem-rule overriding-action redirect\u003c/i\u003e\u003c/b\u003e\u0026nbsp;command (present in EOS-4.28.0F and newer releases) can be used to allow for all of the affected features\u0027 \u003cb\u003eset nexthop\u003c/b\u003e\u0026nbsp;action to take precedence over the system ACL\u0027s trap action to CPU. See \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/support/toi/eos-4-28-0f/15280-tcam-redirect-action-overriding-system-rules\"\u003eTCAM redirect action overriding system rules - TOI\u003c/a\u003e\u0026nbsp;for more information.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "For all affected systems, the suggested mitigation for all three affected features is to drop all IPv4 options traffic via the ip software forwarding options action drop, available in 4.32.2F and later releases in the 4.32 train, 4.31.5M and later releases in the 4.31 train, and 4.30.8M and later releases in the 4.30 train. The command installs an iptables\u00a0rule that drops all IPv4 options traffic in the filter table of the FORWARD\u00a0chain.\n\nswitch(config)#ip software forwarding options action drop\n \n# Below is shown to illustrate what the rule does. This is not a command that needs to be run.\n \nswitch(config)#bash sudo iptables -vnL EOS_FORWARD\nChain EOS_FORWARD (1 references)\n\u00a0pkts bytes target \u00a0 \u00a0 prot opt in \u00a0 \u00a0 out \u00a0 \u00a0 source \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination\n\u00a0 \u00a0 0 \u00a0 \u00a0 0 DROP \u00a0 \u00a0 \u00a0 all -- * \u00a0 \u00a0 * \u00a0 \u00a0 \u00a0 0.0.0.0/0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.0.0.0/0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 u32 ! \"0x0\u003e\u003e0x18=0x45\"\n\u00a0 \u00a0 0 \u00a0 \u00a0 0 REJECT \u00a0 \u00a0 all -- * \u00a0 \u00a0 fwd+ \u00a0 0.0.0.0/0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.0.0.0/0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 u32 ! \"0x0\u003e\u003e0x18=0x45\" reject-with icmp-admin-prohibited\n\u00a0 \u00a0 0 \u00a0 \u00a0 0 DROP \u00a0 \u00a0 \u00a0 all -- * \u00a0 \u00a0 ma+ \u00a0 \u00a0 0.0.0.0/0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.0.0.0/0\n\u00a0 \u00a0 0 \u00a0 \u00a0 0 ACCEPT \u00a0 \u00a0 all -- * \u00a0 \u00a0 * \u00a0 \u00a0 !127.0.0.0/8 \u00a0 \u00a0 \u00a0 \u00a0 !127.0.0.0/8\n\n\n\u00a0\n\nAdditionally, in 7280R3, 7500R3, and 7800R3 systems, the system-rule overriding-action redirect\u00a0command (present in EOS-4.28.0F and newer releases) can be used to allow for all of the affected features\u0027 set nexthop\u00a0action to take precedence over the system ACL\u0027s trap action to CPU. See TCAM redirect action overriding system rules - TOI https://www.arista.com/en/support/toi/eos-4-28-0f/15280-tcam-redirect-action-overriding-system-rules \u00a0for more information."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2024-6437",
"datePublished": "2025-01-10T20:06:36.034Z",
"dateReserved": "2024-07-01T22:29:33.582Z",
"dateUpdated": "2025-01-10T21:12:37.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6437 (GCVE-0-2024-6437)
Vulnerability from nvd – Published: 2025-01-10 20:06 – Updated: 2025-01-10 21:12
VLAI?
Title
On affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy -- certain IP traffic such as IPv4 packets with IP options ma
Summary
On affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy -- certain IP traffic such as IPv4 packets with IP options may bypass the feature's set nexthop action and be slow-path forwarded (FIB routed) by the kernel as the packets are trapped to the CPU instead of following the redirect action's destination.
Severity ?
5.8 (Medium)
CWE
- cwe-1220
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Arista Networks | EOS-Policy Based Routing (PBR) |
Affected:
4.32.0F , ≤ 4.32.1F
(custom)
Affected: 4.31.0M , ≤ 4.31.4M (custom) Affected: 4.30.0M , ≤ 4.30.7M (custom) Affected: 4.29.0M , ≤ 4.29.9M (custom) Affected: 4.28.0M , ≤ 4.28.11M (custom) Affected: 4.27.0M , ≤ 4.27.12M (custom) Affected: 4.26.0M , ≤ 4.26.14M (custom) Affected: 4.25.0M , ≤ 4.25.11M (custom) Affected: 4.24.0M , ≤ 4.24.11M (custom) Affected: 4.23.0M , ≤ 4.23.15M (custom) Affected: 4.22.0M , ≤ 4.22.13M (custom) Affected: 4.21.0M , ≤ 4.21.15M (custom) |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6437",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T21:12:08.840985Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T21:12:37.972Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EOS-Policy Based Routing (PBR)",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.32.1F",
"status": "affected",
"version": "4.32.0F",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31.4M",
"status": "affected",
"version": "4.31.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.30.7M",
"status": "affected",
"version": "4.30.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.29.9M",
"status": "affected",
"version": "4.29.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.28.11M",
"status": "affected",
"version": "4.28.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.27.12M",
"status": "affected",
"version": "4.27.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.26.14M",
"status": "affected",
"version": "4.26.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.25.11M",
"status": "affected",
"version": "4.25.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.24.11M",
"status": "affected",
"version": "4.24.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.23.15M",
"status": "affected",
"version": "4.23.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.22.13M",
"status": "affected",
"version": "4.22.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.21.15M",
"status": "affected",
"version": "4.21.0M",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EOS - BGP Flowspec",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.32.1F",
"status": "affected",
"version": "4.32.0F",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31.4M",
"status": "affected",
"version": "4.31.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.30.7M",
"status": "affected",
"version": "4.30.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.29.9M",
"status": "affected",
"version": "4.29.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.28.11M",
"status": "affected",
"version": "4.28.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.27.12M",
"status": "affected",
"version": "4.27.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.26.14M",
"status": "affected",
"version": "4.26.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.25.11M",
"status": "affected",
"version": "4.25.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.24.11M",
"status": "affected",
"version": "4.24.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.23.15M",
"status": "affected",
"version": "4.23.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.22.13M",
"status": "affected",
"version": "4.22.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.21.15M",
"status": "affected",
"version": "4.21.3F",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EOS - Interface Traffic Policy",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "4.32.1F",
"status": "affected",
"version": "4.32.0F",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.31.4M",
"status": "affected",
"version": "4.31.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.30.7M",
"status": "affected",
"version": "4.30.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.29.9M",
"status": "affected",
"version": "4.29.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.28.11M",
"status": "affected",
"version": "4.28.0M",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.27.12F",
"status": "affected",
"version": "4.27.2F",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn order to be vulnerable to CVE-2024-6437, \u003cb\u003eone\u003c/b\u003e\u0026nbsp;of the following \u003cb\u003ethree\u003c/b\u003e\u0026nbsp;conditions must be met:\u003c/p\u003e\u003ch4\u003ePolicy Based Routing (PBR)\u003c/h4\u003e\u003cp\u003e\u003cb\u003e(1)\u003c/b\u003e\u0026nbsp;A PBR policy must be configured with a rule which redirects to a next hop or set of next hops.\u003c/p\u003e\u003cpre\u003eswitch(config)#show policy-map type pbr\nService policy pmap1\n\u0026nbsp; Configured on: Ethernet20/1\n\u0026nbsp; Applied on: \u0026nbsp; Ethernet20/1\n\u0026nbsp; 10: Single match statement\n\u0026nbsp; \u0026nbsp; Match:\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 0 permit ip any host 10.2.1.1\n\u0026nbsp; \u0026nbsp; Configured actions: set nexthop 10.20.1.1\n\u0026nbsp; \u0026nbsp; Active routing action:\n\u0026nbsp; \u0026nbsp; VRF default\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Route to nexthop 10.20.1.1 default\n\u0026nbsp; 20: Single match statement\n\u0026nbsp; \u0026nbsp; Match:\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 0 permit ip any host 10.3.1.1\n\u0026nbsp; \u0026nbsp; Configured actions: set nexthop 10.20.2.1\n\u0026nbsp; \u0026nbsp; Active routing action:\n\u0026nbsp; \u0026nbsp; VRF default\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Route to nexthop 10.20.2.1 default\n\u0026nbsp; 30: Single match statement\n\u0026nbsp; \u0026nbsp; Match:\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 0 permit ip 10.50.1.0/24 any\n\u0026nbsp; \u0026nbsp; Configured actions: set nexthop 10.20.3.1\n\u0026nbsp; \u0026nbsp; Active routing action:\n\u0026nbsp; \u0026nbsp; VRF default\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Route to nexthop 10.20.3.1 default\n\u0026nbsp; 40: Single match statement\n\u0026nbsp; \u0026nbsp; Match:\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003e0 permit ip any any\u003c/span\u003e\n \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eConfigured actions: set nexthop 10.20.4.1\u003c/span\u003e\n\u0026nbsp; \u0026nbsp; Active routing action:\n\u0026nbsp; \u0026nbsp; VRF default\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Route to nexthop 10.20.4.1 default\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eWith this configuration, any packet that does not match the PBR match rules will fall through and match the \"default\" match-all rule and should get redirected to the next hop \u003cb\u003e10.20.4.1\u003c/b\u003e.\u003c/p\u003e\u003ch4\u003eBGP Flowspec\u003c/h4\u003e\u003cp\u003eOR\u003c/p\u003e\u003cp\u003e\u003cb\u003e(2)\u003c/b\u003e\u0026nbsp;A BGP Flowspec must be configured with a rule which redirects to a next hop or set of next hops.\u003c/p\u003e\u003cpre\u003eswitch#show flow-spec ipv4\nFlow specification rules for VRF default\nConfigured on: Ethernet20/1\nApplied on: Ethernet20/1\n\u0026nbsp; Flow-spec rule: 10.100.0.0/16;*;\n\u0026nbsp; \u0026nbsp; Rule identifier: 1\n\u0026nbsp; \u0026nbsp; Matches:\n\u0026nbsp; \u0026nbsp; \u0026nbsp; Destination prefix: 10.100.0.0/16\n\u0026nbsp; \u0026nbsp; Actions:\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eRedirect: VRF default\u003c/span\u003e\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eRoute via next hop 10.20.4.1\u003c/span\u003e\n\u0026nbsp; \u0026nbsp; Status:\n\u0026nbsp; \u0026nbsp; \u0026nbsp; Installed: yes\n\u0026nbsp; \u0026nbsp; \u0026nbsp; Counter: 0 packets, 0 bytes\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eWith this configuration, all traffic ingressing \u003cb\u003eEthernet20/1\u003c/b\u003e\u0026nbsp;with destination addresses in the \u003cb\u003e10.100.0.0/16\u003c/b\u003e\u0026nbsp;subnet should get redirected to the next hop \u003cb\u003e10.20.4.1\u003c/b\u003e.\u003c/p\u003e\u003ch4\u003eInterface Traffic Policy\u003c/h4\u003e\u003cp\u003eOR\u003c/p\u003e\u003cp\u003e\u003cb\u003e(3)\u003c/b\u003e\u0026nbsp;An interface traffic policy must be configured with a rule that redirects to a next hop or set of next hops.\u003c/p\u003e\u003cpre\u003eswitch#show traffic-policy interface\nTraffic policy foo\n\u0026nbsp; \u0026nbsp;Configured on input of interfaces: Ethernet20/1\n\u0026nbsp; \u0026nbsp;Applied on input of interfaces for IPv4 traffic: Ethernet20/1\n\u0026nbsp; \u0026nbsp;Applied on input of interfaces for IPv6 traffic:\n\u0026nbsp; \u0026nbsp;Applied on input of interfaces for MAC traffic:\n\u0026nbsp; \u0026nbsp;Configured on output of interfaces:\n\u0026nbsp; \u0026nbsp;Applied on output of interfaces for IPv4 traffic:\n\u0026nbsp; \u0026nbsp;Applied on output of interfaces for IPv6 traffic:\n\u0026nbsp; \u0026nbsp;Total number of rules configured: 3\n\u0026nbsp; \u0026nbsp; \u0026nbsp; match rule1 ipv4\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp;Destination prefix: 10.100.0.0/16\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eActions: Redirect next hop 10.20.4.1\u003c/span\u003e\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eActive routing action:\u003c/span\u003e\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eVRF default\u003c/span\u003e\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eRoute via next hop 10.20.4.1 VRF default\u003c/span\u003e\n\u0026nbsp; \u0026nbsp; \u0026nbsp; match ipv4-all-default ipv4\n\u0026nbsp; \u0026nbsp; \u0026nbsp; match ipv6-all-default ipv6\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eWith this configuration, all traffic ingressing \u003cb\u003eEthernet20/1\u003c/b\u003e\u0026nbsp;with destination addresses in the \u003cb\u003e10.100.0.0/16\u003c/b\u003e\u0026nbsp;subnet should get redirected to the next hop \u003cb\u003e10.20.4.1\u003c/b\u003e.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "In order to be vulnerable to CVE-2024-6437, one\u00a0of the following three\u00a0conditions must be met:\n\nPolicy Based Routing (PBR)(1)\u00a0A PBR policy must be configured with a rule which redirects to a next hop or set of next hops.\n\nswitch(config)#show policy-map type pbr\nService policy pmap1\n\u00a0 Configured on: Ethernet20/1\n\u00a0 Applied on: \u00a0 Ethernet20/1\n\u00a0 10: Single match statement\n\u00a0 \u00a0 Match:\n\u00a0 \u00a0 \u00a0 \u00a0 0 permit ip any host 10.2.1.1\n\u00a0 \u00a0 Configured actions: set nexthop 10.20.1.1\n\u00a0 \u00a0 Active routing action:\n\u00a0 \u00a0 VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 Route to nexthop 10.20.1.1 default\n\u00a0 20: Single match statement\n\u00a0 \u00a0 Match:\n\u00a0 \u00a0 \u00a0 \u00a0 0 permit ip any host 10.3.1.1\n\u00a0 \u00a0 Configured actions: set nexthop 10.20.2.1\n\u00a0 \u00a0 Active routing action:\n\u00a0 \u00a0 VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 Route to nexthop 10.20.2.1 default\n\u00a0 30: Single match statement\n\u00a0 \u00a0 Match:\n\u00a0 \u00a0 \u00a0 \u00a0 0 permit ip 10.50.1.0/24 any\n\u00a0 \u00a0 Configured actions: set nexthop 10.20.3.1\n\u00a0 \u00a0 Active routing action:\n\u00a0 \u00a0 VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 Route to nexthop 10.20.3.1 default\n\u00a0 40: Single match statement\n\u00a0 \u00a0 Match:\n\u00a0 \u00a0 \u00a0 \u00a0 0 permit ip any any\n Configured actions: set nexthop 10.20.4.1\n\u00a0 \u00a0 Active routing action:\n\u00a0 \u00a0 VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 Route to nexthop 10.20.4.1 default\n\n\n\u00a0\n\nWith this configuration, any packet that does not match the PBR match rules will fall through and match the \"default\" match-all rule and should get redirected to the next hop 10.20.4.1.\n\nBGP FlowspecOR\n\n(2)\u00a0A BGP Flowspec must be configured with a rule which redirects to a next hop or set of next hops.\n\nswitch#show flow-spec ipv4\nFlow specification rules for VRF default\nConfigured on: Ethernet20/1\nApplied on: Ethernet20/1\n\u00a0 Flow-spec rule: 10.100.0.0/16;*;\n\u00a0 \u00a0 Rule identifier: 1\n\u00a0 \u00a0 Matches:\n\u00a0 \u00a0 \u00a0 Destination prefix: 10.100.0.0/16\n\u00a0 \u00a0 Actions:\n\u00a0 \u00a0 \u00a0 Redirect: VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Route via next hop 10.20.4.1\n\u00a0 \u00a0 Status:\n\u00a0 \u00a0 \u00a0 Installed: yes\n\u00a0 \u00a0 \u00a0 Counter: 0 packets, 0 bytes\n\n\n\u00a0\n\nWith this configuration, all traffic ingressing Ethernet20/1\u00a0with destination addresses in the 10.100.0.0/16\u00a0subnet should get redirected to the next hop 10.20.4.1.\n\nInterface Traffic PolicyOR\n\n(3)\u00a0An interface traffic policy must be configured with a rule that redirects to a next hop or set of next hops.\n\nswitch#show traffic-policy interface\nTraffic policy foo\n\u00a0 \u00a0Configured on input of interfaces: Ethernet20/1\n\u00a0 \u00a0Applied on input of interfaces for IPv4 traffic: Ethernet20/1\n\u00a0 \u00a0Applied on input of interfaces for IPv6 traffic:\n\u00a0 \u00a0Applied on input of interfaces for MAC traffic:\n\u00a0 \u00a0Configured on output of interfaces:\n\u00a0 \u00a0Applied on output of interfaces for IPv4 traffic:\n\u00a0 \u00a0Applied on output of interfaces for IPv6 traffic:\n\u00a0 \u00a0Total number of rules configured: 3\n\u00a0 \u00a0 \u00a0 match rule1 ipv4\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0Destination prefix: 10.100.0.0/16\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0Actions: Redirect next hop 10.20.4.1\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Active routing action:\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Route via next hop 10.20.4.1 VRF default\n\u00a0 \u00a0 \u00a0 match ipv4-all-default ipv4\n\u00a0 \u00a0 \u00a0 match ipv6-all-default ipv6\n\n\n\u00a0\n\nWith this configuration, all traffic ingressing Ethernet20/1\u00a0with destination addresses in the 10.100.0.0/16\u00a0subnet should get redirected to the next hop 10.20.4.1."
}
],
"datePublic": "2024-12-05T19:46:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOn affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy -- certain IP traffic such as IPv4 packets with IP options may bypass the feature\u0027s \u003c/span\u003e\u003cb\u003eset nexthop\u003c/b\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;action and be slow-path forwarded (FIB routed) by the kernel as the packets are trapped to the CPU instead of following the redirect action\u0027s destination.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "On affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy -- certain IP traffic such as IPv4 packets with IP options may bypass the feature\u0027s set nexthop\u00a0action and be slow-path forwarded (FIB routed) by the kernel as the packets are trapped to the CPU instead of following the redirect action\u0027s destination."
}
],
"impacts": [
{
"capecId": "CAPEC-124",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-124 Shared Resource Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "cwe-1220",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T20:06:36.034Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/20689-security-advisory-0108"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version that contains the \u003cb\u003eip software forwarding options action drop\u003c/b\u003e\u0026nbsp;CLI command, and configure the command at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cp\u003eCVE-2024-6437 has been fixed in the following releases:\u003c/p\u003e\u003cul\u003e\u003cli\u003e4.32.2F and later releases in the 4.32.x train\u003c/li\u003e\u003cli\u003e4.31.5M and later releases in the 4.31.x train\u003c/li\u003e\u003cli\u003e4.30.8M and later releases in the 4.30.x train\u003c/li\u003e\u003cli\u003e4.29.10M and later releases in the 4.29.x train\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version that contains the ip software forwarding options action drop\u00a0CLI command, and configure the command at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2024-6437 has been fixed in the following releases:\n\n * 4.32.2F and later releases in the 4.32.x train\n * 4.31.5M and later releases in the 4.31.x train\n * 4.30.8M and later releases in the 4.30.x train\n * 4.29.10M and later releases in the 4.29.x train"
}
],
"source": {
"advisory": "108",
"defect": [
"BUG 962149"
],
"discovery": "EXTERNAL"
},
"title": "On affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy -- certain IP traffic such as IPv4 packets with IP options ma",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eFor all affected systems, the suggested mitigation for all three affected features is to drop all IPv4 options traffic via the \u003cb\u003eip software forwarding options action drop\u003c/b\u003e, available in 4.32.2F and later releases in the 4.32 train, 4.31.5M and later releases in the 4.31 train, and 4.30.8M and later releases in the 4.30 train. The command installs an \u003cb\u003eiptables\u003c/b\u003e\u0026nbsp;rule that drops all IPv4 options traffic in the filter table of the \u003cb\u003eFORWARD\u003c/b\u003e\u0026nbsp;chain.\u003c/p\u003e\u003cpre\u003eswitch(config)#\u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eip software forwarding options action drop\u003c/span\u003e\n \n# Below is shown to illustrate what the rule does. This is not a command that needs to be run.\n \nswitch(config)#bash sudo iptables -vnL EOS_FORWARD\nChain EOS_FORWARD (1 references)\n\u0026nbsp;pkts bytes target \u0026nbsp; \u0026nbsp; prot opt in \u0026nbsp; \u0026nbsp; out \u0026nbsp; \u0026nbsp; source \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; destination\n\u0026nbsp; \u0026nbsp; 0 \u0026nbsp; \u0026nbsp; 0 DROP \u0026nbsp; \u0026nbsp; \u0026nbsp; all -- * \u0026nbsp; \u0026nbsp; * \u0026nbsp; \u0026nbsp; \u0026nbsp; 0.0.0.0/0 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 0.0.0.0/0 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; u32 ! \"0x0\u0026gt;\u0026gt;0x18=0x45\"\n\u0026nbsp; \u0026nbsp; 0 \u0026nbsp; \u0026nbsp; 0 REJECT \u0026nbsp; \u0026nbsp; all -- * \u0026nbsp; \u0026nbsp; fwd+ \u0026nbsp; 0.0.0.0/0 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 0.0.0.0/0 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; u32 ! \"0x0\u0026gt;\u0026gt;0x18=0x45\" reject-with icmp-admin-prohibited\n\u0026nbsp; \u0026nbsp; 0 \u0026nbsp; \u0026nbsp; 0 DROP \u0026nbsp; \u0026nbsp; \u0026nbsp; all -- * \u0026nbsp; \u0026nbsp; ma+ \u0026nbsp; \u0026nbsp; 0.0.0.0/0 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 0.0.0.0/0\n\u0026nbsp; \u0026nbsp; 0 \u0026nbsp; \u0026nbsp; 0 ACCEPT \u0026nbsp; \u0026nbsp; all -- * \u0026nbsp; \u0026nbsp; * \u0026nbsp; \u0026nbsp; !127.0.0.0/8 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; !127.0.0.0/8\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eAdditionally, in 7280R3, 7500R3, and 7800R3 systems, the \u003cb\u003e\u003ci\u003esystem-rule overriding-action redirect\u003c/i\u003e\u003c/b\u003e\u0026nbsp;command (present in EOS-4.28.0F and newer releases) can be used to allow for all of the affected features\u0027 \u003cb\u003eset nexthop\u003c/b\u003e\u0026nbsp;action to take precedence over the system ACL\u0027s trap action to CPU. See \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/support/toi/eos-4-28-0f/15280-tcam-redirect-action-overriding-system-rules\"\u003eTCAM redirect action overriding system rules - TOI\u003c/a\u003e\u0026nbsp;for more information.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "For all affected systems, the suggested mitigation for all three affected features is to drop all IPv4 options traffic via the ip software forwarding options action drop, available in 4.32.2F and later releases in the 4.32 train, 4.31.5M and later releases in the 4.31 train, and 4.30.8M and later releases in the 4.30 train. The command installs an iptables\u00a0rule that drops all IPv4 options traffic in the filter table of the FORWARD\u00a0chain.\n\nswitch(config)#ip software forwarding options action drop\n \n# Below is shown to illustrate what the rule does. This is not a command that needs to be run.\n \nswitch(config)#bash sudo iptables -vnL EOS_FORWARD\nChain EOS_FORWARD (1 references)\n\u00a0pkts bytes target \u00a0 \u00a0 prot opt in \u00a0 \u00a0 out \u00a0 \u00a0 source \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination\n\u00a0 \u00a0 0 \u00a0 \u00a0 0 DROP \u00a0 \u00a0 \u00a0 all -- * \u00a0 \u00a0 * \u00a0 \u00a0 \u00a0 0.0.0.0/0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.0.0.0/0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 u32 ! \"0x0\u003e\u003e0x18=0x45\"\n\u00a0 \u00a0 0 \u00a0 \u00a0 0 REJECT \u00a0 \u00a0 all -- * \u00a0 \u00a0 fwd+ \u00a0 0.0.0.0/0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.0.0.0/0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 u32 ! \"0x0\u003e\u003e0x18=0x45\" reject-with icmp-admin-prohibited\n\u00a0 \u00a0 0 \u00a0 \u00a0 0 DROP \u00a0 \u00a0 \u00a0 all -- * \u00a0 \u00a0 ma+ \u00a0 \u00a0 0.0.0.0/0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.0.0.0/0\n\u00a0 \u00a0 0 \u00a0 \u00a0 0 ACCEPT \u00a0 \u00a0 all -- * \u00a0 \u00a0 * \u00a0 \u00a0 !127.0.0.0/8 \u00a0 \u00a0 \u00a0 \u00a0 !127.0.0.0/8\n\n\n\u00a0\n\nAdditionally, in 7280R3, 7500R3, and 7800R3 systems, the system-rule overriding-action redirect\u00a0command (present in EOS-4.28.0F and newer releases) can be used to allow for all of the affected features\u0027 set nexthop\u00a0action to take precedence over the system ACL\u0027s trap action to CPU. See TCAM redirect action overriding system rules - TOI https://www.arista.com/en/support/toi/eos-4-28-0f/15280-tcam-redirect-action-overriding-system-rules \u00a0for more information."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2024-6437",
"datePublished": "2025-01-10T20:06:36.034Z",
"dateReserved": "2024-07-01T22:29:33.582Z",
"dateUpdated": "2025-01-10T21:12:37.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}