Security Advisory 0091 .CSAF
Date: February 20, 2024
Revision | Date | Changes |
---|---|---|
1.0 | February 20, 2024 | Initial release |
The CVE-ID tracking this issue: CVE-2023-6068
CVSSv3.1 Base Score: 3.1 (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)
Common Weakness Enumeration: CWE-283 Improper Access Control
This vulnerability is being tracked by BUG 869667
Description
On affected 7130 Series FPGA platforms running MOS and recent versions of the MultiAccess FPGA, application of ACL’s may result in incorrect operation of the configured ACL for a port resulting in some packets that should be denied being permitted and some packets that should be permitted being denied.
This issue was discovered internally and Arista is not aware of any malicious uses of this issue in customer networks.
Vulnerability Assessment
Affected Software
- MultiAccess FPGA Software version 1.7.1 (when running with MOS)
- MultiAccess FPGA Software version 1.6.x (when running with MOS)
Affected Platforms
The following products are affected by this vulnerability:
- Arista MOS-based products:
- 7130 Series FPGA running MultiAccess version 1.7.1 or 1.6.x
The following product versions and platforms are not affected by this vulnerability:
- Arista EOS-based products:
- 710 Series
- 720D Series
- 720XP/722XPM Series
- 750X Series
- 7010 Series
- 7010X Series
- 7130 Series running EOS
- 7020R Series
- 7150 Series
- 7160 Series
- 7170 Series
- 7050X/X2/X3/X4 Series
- 7060X/X2/X4/X5 Series
- 7250X Series
- 7260X/X3 Series
- 7280E/R/R2/R3 Series
- 7300X/X3 Series
- 7320X Series
- 7358X4 Series
- 7368X4 Series
- 7388X5 Series
- 7500E/R/R2/R3 Series
- 7800R3 Series
- CloudEOS
- cEOS-lab
- vEOS-lab
- AWE 5000 Series
- Arista Wireless Access Points
- CloudVision WiFi, virtual appliance or physical appliance
- CloudVision WiFi cloud service delivery
- CloudVision eXchange, virtual or physical appliance
- CloudVision Portal, virtual appliance or physical appliance
- CloudVision as-a-Service
- CloudVision AGNI
- Arista Converged Cloud Fabric and DANZ Monitoring Fabric (Formerly Big Switch Nodes for BCF and BMF)
- Arista Network Detection and Response (NDR) Security Platform (Formerly Awake NDR)
- Arista Edge Threat Management - Arista NG Firewall and Arista Micro Edge (Formerly Untangle)
Required Configuration for Exploitation
In order to be vulnerable to CVE-2023-6068, the following condition must be met:
MOS must be configured with MultiAccess FPGA software versions 1.7.1 or 1.6.x and can be determined by running the show version command and referring to the highlighted section as shown below.
switch(config)#show version
Device: Metamako MetaMux 48 with L-Series
SKU: DCS-7130-48LB
Serial number: M48LB-A3-27719-4
Software image version: 0.39.0alpha4
Internal build ID: master+9345
Applications: multiaccess-1.7.1
As shown above this switch is running a vulnerable version of the MultiAccess program, v1.7.1.
Indicators of Compromise
This vulnerability may lead to forwarding of packets that should be blocked by an ACL on a port.
Once triggered, the ACL filter on a port applies ACL decisions from the previous packet to the current packet and remains stuck in this state until the FPGA is reloaded. This is not detectable at the command line and is not visible in any counter state recorded by the device.
Mitigation
The workaround is to only apply one access-list to any particular port after the MultiAccess image is loaded into the FPGA. If a new access-list is to be applied to a port, the FPGA image should be reloaded after the access-list is applied.
Run the following commands to reload the FPGA image, where the line in yellow represents new access control lists to be added:
switch(config-app-multiaccess)#shut
switch(config-app-multiaccess)#multiaccess-group 0 client 0 access-list new_acl_if_need
switch(config-app-multiaccess)#no shut
The previous applied access control lists will automatically apply after FPGA reload.
Resolution
The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.
CVE-2023-6068 has been fixed in the following releases:
- MultiAccess FPGA 1.8.0 and later
Hotfix
There is no available hotfix
For More Information
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
Open a Service Request
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502 ; 866-476-0000
Contact information needed to open a new service request may be found at: https://www.arista.com/en/support/customer-support