csaf_certbund - wid-sec-w-2023-0379

wid-sec-w-2023-0379

Vulnerability from csaf_certbund

Published

2023-02-14 23:00

Modified

2023-02-14 23:00

Summary

Arista EOS: Schwachstelle ermöglicht Privilegieneskalation

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Arista Extensible Operating System (EOS) ist ein modulares Linux basiertes Netzwerkbetriebssystem.

Angriff

Ein lokaler Angreifer kann eine Schwachstelle in Arista EOS ausnutzen, um seine Privilegien zu erhöhen.

Betroffene Betriebssysteme

- Applicance - Hardware Appliance

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         text: "hoch",
      },
      category: "csaf_base",
      csaf_version: "2.0",
      distribution: {
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "de-DE",
      notes: [
         {
            category: "legal_disclaimer",
            text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.",
         },
         {
            category: "description",
            text: "Arista Extensible Operating System (EOS) ist ein modulares Linux basiertes Netzwerkbetriebssystem.",
            title: "Produktbeschreibung",
         },
         {
            category: "summary",
            text: "Ein lokaler Angreifer kann eine Schwachstelle in Arista EOS ausnutzen, um seine Privilegien zu erhöhen.",
            title: "Angriff",
         },
         {
            category: "general",
            text: "- Applicance\n- Hardware Appliance",
            title: "Betroffene Betriebssysteme",
         },
      ],
      publisher: {
         category: "other",
         contact_details: "csaf-provider@cert-bund.de",
         name: "Bundesamt für Sicherheit in der Informationstechnik",
         namespace: "https://www.bsi.bund.de",
      },
      references: [
         {
            category: "self",
            summary: "WID-SEC-W-2023-0379 - CSAF Version",
            url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0379.json",
         },
         {
            category: "self",
            summary: "WID-SEC-2023-0379 - Portal Version",
            url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0379",
         },
         {
            category: "external",
            summary: "Arista EOS Security Advisory 0082 vom 2023-02-14",
            url: "https://www.arista.com/en/support/advisories-notices/security-advisory/16985-security-advisory-0082",
         },
      ],
      source_lang: "en-US",
      title: "Arista EOS: Schwachstelle ermöglicht Privilegieneskalation",
      tracking: {
         current_release_date: "2023-02-14T23:00:00.000+00:00",
         generator: {
            date: "2024-08-15T17:43:41.781+00:00",
            engine: {
               name: "BSI-WID",
               version: "1.3.5",
            },
         },
         id: "WID-SEC-W-2023-0379",
         initial_release_date: "2023-02-14T23:00:00.000+00:00",
         revision_history: [
            {
               date: "2023-02-14T23:00:00.000+00:00",
               number: "1",
               summary: "Initiale Fassung",
            },
         ],
         status: "final",
         version: "1",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Arista EOS < 4.24.11",
                        product: {
                           name: "Arista EOS < 4.24.11",
                           product_id: "T026326",
                           product_identification_helper: {
                              cpe: "cpe:/o:arista:arista_eos:4.24.11",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Arista EOS < 4.25.10",
                        product: {
                           name: "Arista EOS < 4.25.10",
                           product_id: "T026327",
                           product_identification_helper: {
                              cpe: "cpe:/o:arista:arista_eos:4.25.10",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Arista EOS < 4.26.9",
                        product: {
                           name: "Arista EOS < 4.26.9",
                           product_id: "T026328",
                           product_identification_helper: {
                              cpe: "cpe:/o:arista:arista_eos:4.26.9",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Arista EOS < 4.27.7",
                        product: {
                           name: "Arista EOS < 4.27.7",
                           product_id: "T026329",
                           product_identification_helper: {
                              cpe: "cpe:/o:arista:arista_eos:4.27.7",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Arista EOS < 4.28.4",
                        product: {
                           name: "Arista EOS < 4.28.4",
                           product_id: "T026330",
                           product_identification_helper: {
                              cpe: "cpe:/o:arista:arista_eos:4.28.4",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "Arista EOS < 4.29.0",
                        product: {
                           name: "Arista EOS < 4.29.0",
                           product_id: "T026331",
                           product_identification_helper: {
                              cpe: "cpe:/o:arista:arista_eos:4.29.0",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "EOS",
               },
            ],
            category: "vendor",
            name: "Arista",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2023-24509",
         notes: [
            {
               category: "description",
               text: "Es besteht eine Schwachstelle in Arista EOS, wenn redundante Supervisor-Module vorhanden sind und das Redundanzprotokoll aktiviert ist. Aufgrund einer unsachgemäßen Rechteverwaltung kann sich ein unprivilegierter Benutzer als Root-Benutzer am Standby-Supervisor anmelden. Ein Angreifer kann dies ausnutzen, um seine Privilegien zu erweitern.",
            },
         ],
         release_date: "2023-02-14T23:00:00.000+00:00",
         title: "CVE-2023-24509",
      },
   ],
}

CVE-2023-24509 (GCVE-0-2023-24509)

Vulnerability from cvelistv5

Published

2023-04-13 00:00

Modified

2025-02-07 15:42

Severity ?

9.3 (Critical) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Summary

On affected modular platforms running Arista EOS equipped with both redundant supervisor modules and having the redundancy protocol configured with RPR or SSO, an existing unprivileged user can login to the standby supervisor as a root user, leading to a privilege escalation. Valid user credentials are required in order to exploit this vulnerability.

References

▼	URL	Tags
	https://www.arista.com/en/support/advisories-notices/security-advisory/16985-security-advisory-0082

Impacted products

	Vendor	Product	Version
	Arista Networks	Arista EOS	Version: 4.23.0 4.23.13M Version: 4.28.0 < Version: 4.27.0 < Version: 4.286.0 < Version: 4.25.0 < Version: 4.24.0 <

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T10:56:04.282Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.arista.com/en/support/advisories-notices/security-advisory/16985-security-advisory-0082",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2023-24509",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-02-07T15:42:03.820627Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-02-07T15:42:09.265Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               product: "Arista EOS",
               vendor: "Arista Networks",
               versions: [
                  {
                     status: "affected",
                     version: "4.23.0 4.23.13M",
                  },
                  {
                     lessThanOrEqual: "4.28.3M",
                     status: "affected",
                     version: "4.28.0",
                     versionType: "custom",
                  },
                  {
                     lessThanOrEqual: "4.27.6M",
                     status: "affected",
                     version: "4.27.0",
                     versionType: "custom",
                  },
                  {
                     lessThanOrEqual: "4.26.8M",
                     status: "affected",
                     version: "4.286.0",
                     versionType: "custom",
                  },
                  {
                     lessThanOrEqual: "4.25.9M",
                     status: "affected",
                     version: "4.25.0",
                     versionType: "custom",
                  },
                  {
                     lessThanOrEqual: "4.24.10M",
                     status: "affected",
                     version: "4.24.0",
                     versionType: "custom",
                  },
               ],
            },
         ],
         configurations: [
            {
               lang: "en",
               value: "In order to be vulnerable to CVE-2023-24509, the following conditions must be met:\n\nTwo supervisor modules must both be inserted and active. To determine the status of the supervisor modules,\n\nswitch#show module \nModule  Ports Card Type                Model            Serial No.\n------- ----- ------------------------ ---------------- -----------\n1       3     DCS-7500-SUP2 Supervisor DCS-7500-SUP2    SSJ17133450\n2       2     Standby supervisor       DCS-7500-SUP2    SSJ17133441\n \nModule  Status  Uptime  Power off reason\n------- ------- ------- ----------------\n1       Active  0:24:58 N/A\n2       Standby 0:24:58 N/A\nSupervisor redundancy protocol must be configured with RPR(Route Processor Redundancy) or SSO (Stateful Switchover) on the switch. To determine the state and the current redundancy protocol of both supervisors on the switch,\n\nswitch#show redundancy status\n  my state = ACTIVE\npeer state = STANDBY WARM\n      Unit = Primary\n   Unit ID = 1\n   \nRedundancy Protocol (Operational) = Route Processor Redundancy\nRedundancy Protocol (Configured) = Route Processor Redundancy\nCommunications = Up\nReady for switchover\n   \n  Last switchover time = 7:23:56 ago\nLast switchover reason = Supervisor has control of the active supervisor lock",
            },
         ],
         credits: [
            {
               lang: "en",
               value: "Arista would like to acknowledge and thank Marc-André Labonté, Senior Information Security Analyst at Desjardins for responsibly reporting CVE-2023-24509.",
            },
         ],
         datePublic: "2023-02-14T00:00:00.000Z",
         descriptions: [
            {
               lang: "en",
               value: "On affected modular platforms running Arista EOS equipped with both redundant supervisor modules and having the redundancy protocol configured with RPR or SSO, an existing unprivileged user can login to the standby supervisor as a root user, leading to a privilege escalation. Valid user credentials are required in order to exploit this vulnerability.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "HIGH",
                  baseScore: 9.3,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-269",
                     description: "CWE-269 Improper Privilege Management",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-04-13T00:00:00.000Z",
            orgId: "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
            shortName: "Arista",
         },
         references: [
            {
               url: "https://www.arista.com/en/support/advisories-notices/security-advisory/16985-security-advisory-0082",
            },
         ],
         solutions: [
            {
               lang: "en",
               value: "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\n\nCVE-2023-24509 has been fixed in the following releases:\n\n4.28.4M and later releases in the 4.28.x train\n4.27.7M and later releases in the 4.27.x train\n4.26.9M and later releases in the 4.26.x train\n4.25.10M and later releases in the 4.25.x train\n4.24.11M and later releases in the 4.24.x train",
            },
            {
               lang: "en",
               value: "The following hotfix can be applied to remediate CVE-2023-24509. The hotfix only applies to the releases listed below and no other releases. All other versions require upgrading to a release containing the fix (as listed above).: \n\n4.28.3M and below releases in the 4.28.x train\n4.27.6M and below releases in the 4.27.x train\n4.26.8M and below releases in the 4.26.x train\n4.25.9M and below releases in the 4.25.x train\n4.24.10M\n4.23.13M\nNote: Installing/uninstalling the SWIX will cause ConfigAgent to restart and disconnect existing CLI sessions.\n\nVersion: 1.0\n\nURL: SecurityAdvisory82_CVE-2023-24509_Hotfix.swix\n\nSWIX hash:\n\n(SHA-512)7833ab99e11cfea1ec28c09aedffd062cfc865a20a843ee6184caff1081e748c8a02590644d0c7b0e377027379cbaadc8b1a70d1c37097bf98c1bedb429dca56",
            },
         ],
         source: {
            advisory: "82",
            defect: [
               "723401",
            ],
            discovery: "EXTERNAL",
         },
         title: "On affected modular platforms running Arista EOS equipped with both redundant supervisor modules and having the redundancy protocol configured with RPR or SSO, an existing unprivileged user can login to the standby supervisor as a root user, leading t ...",
         workarounds: [
            {
               lang: "en",
               value: "The workaround is to disable “ssh” CLI command in unprivileged mode on the SSH client devices by using command authorization. This can be done with Role-Based Access Control (RBAC).\n\nIf the “ssh” CLI command is currently used to connect to a remote host, the destination address can be added to an allowlist with RBAC.",
            },
         ],
         x_ConverterErrors: {
            TITLE: {
               error: "TITLE too long. Truncating in v5 record.",
               message: "Truncated!",
            },
         },
         x_generator: {
            engine: "Vulnogram 0.0.9",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
      assignerShortName: "Arista",
      cveId: "CVE-2023-24509",
      datePublished: "2023-04-13T00:00:00.000Z",
      dateReserved: "2023-01-24T00:00:00.000Z",
      dateUpdated: "2025-02-07T15:42:09.265Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted