Security Advisory 0015
Date: November 18th, 2015
| Revision | Date | Changes |
|---|---|---|
| 1.0 | November 18th, 2015 | Public release |
| 1.1 | November 18th, 2015 | Updated to include CVE number and bug ID |
Arista EOS Remote Privilege Escalation Vulnerability - CVE-2015-8236
This advisory is to document a security vulnerability identified by Arista Networks that affects EOS. Affected EOS releases are listed in Table-1 below. This issue is a privilege escalation vulnerability that could allow a remote attacker with IP connectivity to the management plane of the switch to run arbitrary code as a privileged user. This includes getting root level access to the bash shell on the switch. It is not required for the attacker to have credentials for a user account on the switch. All methods of management plane access are exposed.
NOTE: This vulnerability was identified internally by Arista Networks and there have been no external reports of an exploit, as of the date of this notice.
Recommended Action: For switches running any affected EOS version, the immediate recommendation is to install a non-disruptive patch or to upgrade to a remediated version of EOS. Either step will prevent any exploit.
A single patch for this issue is available for EOS versions 4.5.0 and later via the URL below and this patch can be installed non-disruptively. Applying this patch serves as a permanent resolution to this issue. Instructions to install the patch is documented in this advisory.
Table-2 below contains the list of EOS versions that contain the security fix.
Affected software releases: All EOS releases shipped prior to the date of this release are affected. The following table only lists the affected EOS versions from the supported release trains. Release trains older than 4.11, such as 4.10, 4.9, 4.8, 4.7, 4.6, 4.5 and older, are affected as well.
| 4.15 | 4.14 | 4.13 | 4.12 | Older release trains |
|---|---|---|---|---|
4.15.0F
|
4.14.0F 4.14.1F 4.14.2F 4.14.3F 4.14.3.1F 4.14.4F 4.14.4.1F 4.14.4.2F 4.14.5F
4.14.7M 4.14.7.1M 4.14.8M 4.14.8.1M 4.14.9M |
4.13.1.1F 4.13.2.1F 4.13.3.1F 4.13.4.1F 4.13.5F 4.13.5.1F 4.13.6F 4.13.7M 4.13.7.2M 4.13.7.3M 4.13.8M 4.13.9M 4.13.9.1M 4.13.10M 4.13.11M 4.13.12M 4.13.13M |
4.12.5.2 4.12.6.1 4.12.7.1 4.12.8 4.12.8.1 4.12.9 4.12.10 |
All releases in 4.11 All releases in 4.10 All releases in 4.9 All releases in 4.8 All releases in 4.7 All releases in 4.6 All releases in 4.5 All release trains older than 4.5 |
Table-1: Affected EOS releases
Affected platforms: All Arista platforms
Resolution:Bug 138716 tracks this vulnerability. The following table lists the releases that contain the fix for the vulnerability. These releases are available on the software downloads page.
| EOS-4.15 | EOS-4.14 | EOS-4.13 | EOS-4.12 | EOS-4.11 |
|---|---|---|---|---|
| 4.15.0FX1.1 4.15.0FXA.1 4.15.1FXB.1 4.15.1FX-7060X.1 4.15.2.1F or later |
4.14.5FX.5 4.14.5.1F-SSU.1 4.14.9.1M or later |
4.13.14M or later | 4.12.11 or later | 4.11.12 or later |
Table-2: EOS releases with security fix
Patch file download URL: secAdvisory0015.swix
MD5SUM: 12a669428dc3ac8697dffabed31c18f9
SHA512SUM: 4c98ba78dfa93f180e0f826d0d82f41219125dcccdf37595b65277193492fa9aa5ec13b79eec25765a8375b58d8594879e9d369175e9d6f9c3fd092392d0aee8
NOTE:
- The patch is applicable only to EOS versions starting at 4.5.0 and later
- Installing the patch is non-disruptive to switch operation or traffic flowing through the switch
- A reload of the switch is not required for the patch to take effect
Instructions to install the patch
- Download the patch file and copy the file to the extension partition of the switch using one of the supported file transfer protocols:
switch#copy scp://10.10.0.1/secAdvisory0015.swix extension:
switch#verify /sha512 extension:secAdvisory0015.swix
Verify that the checksum value returned by the above command matches the provided SHA512 checksum for the file
On modular systems with dual supervisors, download the file to the extension partition of the active supervisor and copy it to the standby supervisor using the following two commands:switch(s1)(config)#copy extension:secAdvisory0015.swix supervisor-peer:/mnt/flash/
switch(s2-standby)#copy flash:secAdvisory0015.swix extension: - Install the patch using the extension command. The patch takes effect immediately at the time of installation.
switch#extension secAdvisory0015.swix
On modular systems with dual supervisors, the patch has to be installed on the active and standby supervisors:switch(s1)#extension secAdvisory0015.swix
switch(s2-standby)#extension secAdvisory0015.swix
If eAPI is enabled, the eAPI agent or the uwsgi service will restart after the patch has been installed. One of following messages will be logged as a result:ProcMgr-worker: %PROCMGR-6-PROCESS_RESTART: Restarting 'CapiApp' immediately
SuperServer: %SYS-4-RESTART_SERVICE: Service uwsgi is not running. Attempting to restart it. - Verify that the patch is installed using the following commands:
switch#show extensions
Name Version/Release Status extension
----------------- ------------------------- ------ ---------
secAdvisory0015.swix 1.0.0/SA15 A, I 1
A: available | NA: not available | I: installed | NI: not installed | F: forcedswitch#show ver detail | grep SA15
secAdvisory0015 1.0.0 SA15 - Make the patch persistent across reloads. This ensures that the patch is installed as part of the boot-sequence. The patch will not install on EOS versions with the security fix.
switch#copy installed-extensions boot-extensions
switch#show boot-extensions
secAdvisory0015.swix
For dual supervisor systems run the above copy command on both active and standby supervisors:switch(s1)#copy installed-extensions boot-extensions
switch(s2-standby)#copy installed-extensions to boot-extensions
Instructions to uninstall the patch:
- Uninstall the patch using the following command:
switch#no extension secAdvisory0015.swix
On modular systems with dual supervisors, the patch has to be uninstalled on the active and standby supervisors:switch(s1)#no extension secAdvisory0015.swix
switch(s2-standby)#no extension secAdvisory0015.swix
The output of ‘show extensions’ will reflect the status of the patch as ‘NI: Not installed’switch#show extension
NOTE: Once the extension has been uninstalled, the switch is no longer protected against the vulnerability.
Name Version/Release Status extension
----------------- ------------------------- ------ ---------
secAdvisory0015.swix 1.0.0/SA15 A, NI 1
A: available | NA: not available | I: installed | NI: not installed | F: forced - To make this change persistent across switch reloads, run the following command to remove the patch from boot-extensions:
switch#copy installed-extensions boot-extensions
switch#show boot-extensions
For dual supervisor systems run the above copy command on both active and standby supervisors:switch(s1)#copy installed-extensions boot-extensions
switch(s2-standby)#copy installed-extensions boot-extensions
Upgrade considerations:
- It is recommended to uninstall the patch before upgrading to a remediated version of EOS. To uninstall the patch, follow the instructions above.
- When upgrading from EOS versions older than 4.11.0, please refer to the release notes for considerations around memory and software support
For More Information:
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
Open a Service Request:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502
866-476-0000