Date: December 5, 2023

 
Revision Date Changes
1.0 December 5, 2023 Initial release

The CVE-ID tracking this issue: CVE-2023-24547
CVSSv3.1 Base Score: 5.9 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H)
Common Weakness Enumeration: CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer
This vulnerability is being tracked by BUG868319, BUG873034, MOS-2222, MOS-2255.

Description

On affected platforms running Arista MOS, the configuration of a BGP password will cause the password to be logged in clear text that can be revealed in local logs or remote logging servers by authenticated users, as well as appear in clear text in the device’s running config. This could result in unauthorized route announcements from malicious peers or cause traffic loss.

This issue was discovered internally and Arista is not aware of any malicious uses of this issue in customer networks.

Vulnerability Assessment

Affected Software

MOS Versions

  • MOS-0.13.0 onwards

Affected Platforms

The following products are affected by this vulnerability:

  • Arista 7130 Systems running MOS
  • Pre-Arista labeled devices (Metamako)

The following product versions and platforms are not affected by this vulnerability:

  • Arista EOS-based products:
    • 720D Series
    • 720XP/722XPM Series
    • 750X Series
    • 7010 Series
    • 7010X Series
    • 7020R Series
    • 7130 Series running EOS
    • 7150 Series
    • 7160 Series
    • 7170 Series
    • 7050X/X2/X3/X4 Series
    • 7060X/X2/X4/X5 Series
    • 7250X Series
    • 7260X/X3 Series
    • 7280E/R/R2/R3 Series
    • 7300X/X3 Series
    • 7320X Series
    • 7358X4 Series
    • 7368X4 Series
    • 7388X5 Series
    • 7500E/R/R2/R3 Series
    • 7800R3 Series
    • CloudEOS
    • cEOS-lab
    • vEOS-lab
    • AWE 5000 Series
  • Arista Wireless Access Points
  • CloudVision WiFi, virtual appliance or physical appliance
  • CloudVision WiFi cloud service delivery
  • CloudVision eXchange, virtual or physical appliance
  • CloudVision Portal, virtual appliance or physical appliance
  • CloudVision AGNI
  • Arista Converged Cloud Fabric and DANZ Monitoring Fabric (Formerly Big Switch Nodes for BCF and BMF)
  • Arista Network Detection and Response (NDR) Security Platform (Formerly Awake NDR)
  • Arista Edge Threat Management - Arista NG Firewall and Arista Micro Edge (Formerly Untangle)

Required Configuration for Exploitation

In order to be vulnerable to CVE-2023-24547 the following condition must be met:

A BGP password must be configured and be in plain text. An example of this is shown below:

switch>show running-config bgp
router bgp 65000
   neighbor 192.0.2.1 remote-as 66000
   neighbor 192.0.2.1 password pA$$w0rd

If a BGP password is not configured there is no exposure to this issue.

Indicators of Compromise

No indicators of compromise exist.

Mitigation

No mitigation exists.

Resolution

The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see the MOS User Guide: Updating

CVE-2023-24547 has been fixed in the following releases:

  • MOS-0.36.10 and later releases in the MOS-0.36.x train
  • MOS-0.39.4 and later releases in the MOS-0.39.x train

Because this issue would cause the password to be saved in logs and remote AAA servers it is recommended to also rotate the BGP password, if possible. Upon upgrading to a new release, the BGP password will be obfuscated with the type-7 algorithm as shown below:

switch>show running-config bgp
router bgp 65000
   neighbor 192.0.2.1 remote-as 66000
   neighbor 192.0.2.1 password key 7 00143242404C5B140B

Hotfix

The following hotfix can be applied to remediate CVE-2023-24547. The hotfix only applies to the releases listed below and no other releases. All other versions require upgrading to a release containing the fix (as listed above):

  • MOS-0.39.3 and below releases in the MOS-0.39.x train
  • MOS-0.38.1 and below releases in the MOS-0.38.x train
  • MOS-0.37.1 and below releases in the MOS-0.37.x train
  • MOS-0.36.9 and below releases in the MOS-0.36.x train
  • MOS-0.35.3 and below releases in the MOS-0.35.x train
  • MOS-0.34.0 in the MOS-0.34.x train

Please note that the only MOS release trains currently under maintenance support are MOS-0.39.x and MOS-0.36.x. The hotfix working for other releases should not be treated as evidence that these releases continue to be supported. For security it is important to ensure supported releases are used.

Version: 1.0
URL: hotfix-cve-2023-24547-4.0.0-1.14.core2_64.rpm
SWIX hash:(SHA512)
168b2ee3deb8d4a3151b9c24936ff9d6523557b366ceffc98e57e8bf80638997
 

For instructions on installation and verification of the hotfix patch, refer to the "How to Install an Application" Guide.

For More Information

If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:

Open a Service Request

By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502 ; 866-476-0000
Contact information needed to open a new service request may be found at: https://www.arista.com/en/support/customer-support