Date: October 19th, 2021

Version: 1.0

Revision Date Changes
1.0 October 19th, 2021 Initial Release
 

Security Advisory 0069

The CVE-ID tracking this issue: CVE-2021-28496
CVSSv3.1 Base Score: 5.7( CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Description

This advisory documents the impact of an internally found vulnerability in Arista's EOS software. Affected software releases are listed below.

The effect of this vulnerability is that, when using shared secret profiles the password configured for use by BiDirectional Forwarding Detection (BFD) will be leaked when displaying output over eAPI or other JSON outputs to authenticated users on the device.

This issue was discovered internally and Arista is not aware of any malicious uses of this issue in customer networks.

Vulnerability Assessment

Affected Software

EOS Versions

  • All releases in 4.22.x train
  • 4.23.9 and below releases in the 4.23.x train
  • 4.24.7 and below releases in the 4.24.x train
  • 4.25.4 and below releases in the 4.25.x train
  • 4.26.1 and below releases in the 4.26.x train

Affected Platforms

This is a platform-independent vulnerability and affects all systems running EOS and CloudEOS with the versions identified above.

The following products are not affected:

  • Arista Wireless Access Points
  • CloudVision WiFi, virtual appliance or physical appliance
  • CloudVision WiFi cloud service delivery
  • CloudVision Portal, virtual appliance or physical appliance
  • CloudVision as-a-Service
  • Arista 7130 Systems running MOS
  • Arista Converged Cloud Fabric and DANZ Monitoring Fabric (Formerly Big Switch Nodes for BCF and BMF)
  • Awake Security Platform

Mitigation

The following configuration changes may be used as an immediate mitigation in order to prevent the exploitation temporarily. Please upgrade to the fixed version or install the hotfix swix as the proper final resolution, which can be referred to the Resolution section below with details of the remediated software versions.

The restriction of access to the related CLI show command of specified role type can be used as an immediate mitigation. The detailed instructions of role-based authorization can be found here.

Example:

  1. Create a new role with restricted access to the CLI show command and make sure the rule has been successfully configured
    switch(config)#role sysadmin
    switch(config-role-sysadmin)#deny command show management security session shared-secret profile
    switch(config-role-sysadmin)# permit command .*
    switch(config-role-sysadmin)#exit
    
    switch#show users roles sysadmin The default role is network-operator
    role: sysadmin 10 deny command show management security session shared-secret profile 20 permit command .*
    Note: in the example above, all other commands besides the show shared profile CLI commands are permitted, it can be tightened up further to only allow commands needed for role sysadmin.
     
  2. Enable role-based access control
    switch(config)#aaa authorization commands all default local
    
     
  3. Assign the role to a username
    Roles are assigned to local users through the username command and to remote users through RADIUS servers. Each user is assigned one role. Each role can be assigned to multiple local and remote users.
    switch(config)#username adminUser privilege 15 role sysadmin secret adminUserPassword
    
     
  4. Login with username “adminUser” should deny the access of shared-secret profile CLI show command
    switch#show management security session shared-secret profile
    % Authorization denied for command 'show management security session shared-secret profile'
    

Resolution

This vulnerability is being tracked by BUG607643. The recommended resolution is to upgrade to a remediated software version at your earliest convenience.

The vulnerability is fixed in the following EOS versions:

  • 4.23.10 and later releases
  • 4.24.8 and later releases
  • 4.25.5 and later releases
  • 4.26.2 and later releases

For an immediate remediation until EOS can be upgraded, the following hotfixes are available.

The hotfix can be installed as an EOS extension and is version-specific as noted below. Please note the hotfix restarts the ConfigAgent, which will result in all CLI sessions on ssh and console to be logged out and new CLI sessions to not be possible until the ConfigAgent has fully restarted. The disruption will last for 1 minutes or less before normal behavior is restored. It might in rare situations also cause BFD sessions to flap briefly.

  • Release versions: 4.22.0 - 4.25.0
     
  • Release versions: 4.25.1 - 4.26.1

For instructions on installation and verification of the hotfix patch, refer to the “managing EOS extensions” section in the EOS User Manual. Ensure that the patch is made persistent across reboots by running the command ‘copy installed-extensions boot-extensions’.

For More Information

If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:

Open a Service Request:

By email: This email address is being protected from spambots. You need JavaScript enabled to view it.

By telephone: 408-547-5502 ; 866-476-0000