mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-07-29 05:56:59 +00:00
142 lines
20 KiB
JSON
142 lines
20 KiB
JSON
{
|
|
"data_version": "4.0",
|
|
"data_type": "CVE",
|
|
"data_format": "MITRE",
|
|
"CVE_data_meta": {
|
|
"ID": "CVE-2024-8000",
|
|
"ASSIGNER": "psirt@arista.com",
|
|
"STATE": "PUBLIC"
|
|
},
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "On affected platforms running Arista EOS with 802.1X configured, certain conditions may occur where a dynamic ACL is received from the AAA server resulting in only the first line of the ACL being installed after an Accelerated Software Upgrade (ASU) restart. \n\nNote: supplicants with pending captive-portal authentication during ASU would be impacted with this bug."
|
|
}
|
|
]
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "CWE-1284 Improper Validation of Specified Quantity in Input",
|
|
"cweId": "CWE-1284"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"vendor_name": "Arista Networks",
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "EOS",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "<=",
|
|
"version_name": "4.32.0",
|
|
"version_value": "4.32.4M"
|
|
},
|
|
{
|
|
"version_affected": "<=",
|
|
"version_name": "4.31.0",
|
|
"version_value": "4.31.5M"
|
|
},
|
|
{
|
|
"version_affected": "<=",
|
|
"version_name": "4.30.0",
|
|
"version_value": "4.30.8M"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/21086-security-advisory-0109",
|
|
"refsource": "MISC",
|
|
"name": "https://www.arista.com/en/support/advisories-notices/security-advisory/21086-security-advisory-0109"
|
|
}
|
|
]
|
|
},
|
|
"generator": {
|
|
"engine": "Vulnogram 0.2.0"
|
|
},
|
|
"source": {
|
|
"advisory": "109",
|
|
"defect": [
|
|
"989881"
|
|
],
|
|
"discovery": "INTERNAL"
|
|
},
|
|
"configuration": [
|
|
{
|
|
"lang": "en",
|
|
"supportingMedia": [
|
|
{
|
|
"base64": false,
|
|
"type": "text/html",
|
|
"value": "<p>In order to be vulnerable to CVE-2024-8000, the following three conditions must be met:</p><ol><li>802.1X must be configured.<div> </div></li><li>The customer must have an external AAA server configured which sends a multi-line dynamic ACL.<div> </div></li><li>ASU must have occurred ( more information about the upgrade process can be found here at <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\">Upgrades and Downgrades - Arista</a> ). The version being upgraded from is an affected software version, and the version being upgraded to is an affected software version as listed above. </li></ol><p>The below example shows an example of this issue before and after ASU:</p><pre>switch#show dot1x hosts mac 0001.0203.0405 detail | json\n{\n \"supplicantMac\": \"00:01:02:03:04:05\",\n \"identity\": \"user3\",\n \"interface\": \"Ethernet3/47\",\n \"authMethod\": \"EAPOL\",\n \"authStage\": \"SUCCESS\",\n \"fallback\": \"NONE\",\n \"callingStationId\": \"00-01-02-03-04-05\",\n \"reauthBehavior\": \"DO-NOT-RE-AUTH\",\n \"reauthInterval\": 0,\n \"cacheConfTime\": 0,\n \"vlanId\": \"202\",\n \"accountingSessionId\": \"\",\n \"captivePortal\": \"\",\n \"captivePortalSource\": \"\",\n \"aristaWebAuth\": \"\",\n \"supplicantClass\": \"\",\n \"filterId\": \"\",\n \"framedIpAddress\": \"0.0.0.0\",\n \"framedIpAddrSource\": \"sourceNone\",\n <span style=\"background-color: rgb(255, 255, 0);\"><b>\"nasFilterRules\": [</b>\n<b> \"deny in ip from 10.1.0.0/16 to 20.1.0.0/16\",</b>\n<b> \"permit in ip from 11.0.0.0/8 to 12.0.0.0/8\",</b>\n<b> \"permit tcp any any eq 80\", </b>\n<b> \"permit tcp any any eq 443\",</b>\n<b> \u201cdeny ip host 192.168.1.100\"</b>\n <b>],</b></span>\n \"sessionTimeout\": 0,\n \"terminationAction\": \"\",\n \"tunnelPrivateGroupId\": \"\",\n \"aristaPeriodicIdentity\": \"\",\n \"cachedAuthAtLinkDown\": false,\n \"reauthTimeoutSeen\": false,\n \"sessionCached\": false,\n \"detail_\": true\n}\n</pre><div> </div><p>The above example is before ASU. Note that the \u201cnasFilterRules\u201d has 5 rules in it.</p><p>When ASU is performed:</p><pre>switch#show dot1x hosts mac 0001.0203.0405 detail | json\n{\n \"supplicantMac\": \"00:01:02:03:04:05\",\n \"identity\": \"user3\",\n \"interface\": \"Ethernet3/47\",\n \"authMethod\": \"EAPOL\",\n \"authStage\": \"SUCCESS\",\n \"fallback\": \"NONE\",\n \"callingStationId\": \"00-01-02-03-04-05\",\n \"reauthBehavior\": \"DO-NOT-RE-AUTH\",\n \"reauthInterval\": 0,\n \"cacheConfTime\": 0,\n \"vlanId\": \"202\",\n \"accountingSessionId\": \"\",\n \"captivePortal\": \"\",\n \"captivePortalSource\": \"\",\n \"aristaWebAuth\": \"\",\n \"supplicantClass\": \"\",\n \"filterId\": \"\",\n \"framedIpAddress\": \"0.0.0.0\",\n \"framedIpAddrSource\": \"sourceNone\",\n <span style=\"background-color: rgb(255, 255, 0);\"><b>\"nasFilterRules\": [</b>\n<b> \"deny in ip from 10.1.0.0/16 to 20.1.0.0/16\"</b>\n <b>],</b></span>\n \"sessionTimeout\": 0,\n \"terminationAction\": \"\",\n \"tunnelPrivateGroupId\": \"\",\n \"aristaPeriodicIdentity\": \"\",\n \"cachedAuthAtLinkDown\": false,\n \"reauthTimeoutSeen\": false,\n \"sessionCached\": false,\n \"detail_\": true\n}\n</pre><p>The above example is after ASU. Note the nasFilterRule is now only one line. </p><p>Note: This symptom is not present when a non-ASU upgrade (i.e. standard reboot) takes place.</p><br>"
|
|
}
|
|
],
|
|
"value": "In order to be vulnerable to CVE-2024-8000, the following three conditions must be met:\n\n * 802.1X must be configured.\u00a0\n\n\n * The customer must have an external AAA server configured which sends a multi-line dynamic ACL.\u00a0\n\n\n * ASU must have occurred ( more information about the upgrade process can be found here at Upgrades and Downgrades - Arista https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \u00a0). The version being upgraded from is an affected software version, and the version being upgraded to is an affected software version as listed above. \nThe below example shows an example of this issue before and after ASU:\n\nswitch#show dot1x hosts mac 0001.0203.0405 detail | json\n{\n\u00a0 \u00a0 \"supplicantMac\": \"00:01:02:03:04:05\",\n\u00a0 \u00a0 \"identity\": \"user3\",\n\u00a0 \u00a0 \"interface\": \"Ethernet3/47\",\n\u00a0 \u00a0 \"authMethod\": \"EAPOL\",\n\u00a0 \u00a0 \"authStage\": \"SUCCESS\",\n\u00a0 \u00a0 \"fallback\": \"NONE\",\n\u00a0 \u00a0 \"callingStationId\": \"00-01-02-03-04-05\",\n\u00a0 \u00a0 \"reauthBehavior\": \"DO-NOT-RE-AUTH\",\n\u00a0 \u00a0 \"reauthInterval\": 0,\n\u00a0 \u00a0 \"cacheConfTime\": 0,\n\u00a0 \u00a0 \"vlanId\": \"202\",\n\u00a0 \u00a0 \"accountingSessionId\": \"\",\n\u00a0 \u00a0 \"captivePortal\": \"\",\n\u00a0 \u00a0 \"captivePortalSource\": \"\",\n\u00a0 \u00a0 \"aristaWebAuth\": \"\",\n\u00a0 \u00a0 \"supplicantClass\": \"\",\n\u00a0 \u00a0 \"filterId\": \"\",\n\u00a0 \u00a0 \"framedIpAddress\": \"0.0.0.0\",\n\u00a0 \u00a0 \"framedIpAddrSource\": \"sourceNone\",\n \"nasFilterRules\": [\n\u00a0 \u00a0 \u00a0 \u00a0 \"deny in ip from 10.1.0.0/16 to 20.1.0.0/16\",\n\u00a0 \u00a0 \u00a0 \u00a0 \"permit in ip from 11.0.0.0/8 to 12.0.0.0/8\",\n\u00a0 \u00a0 \u00a0 \u00a0 \"permit tcp any any eq 80\", \n\u00a0 \u00a0 \u00a0 \u00a0 \"permit tcp any any eq 443\",\n\u00a0 \u00a0 \u00a0 \u00a0 \u201cdeny ip host 192.168.1.100\"\n ],\n\u00a0 \u00a0 \"sessionTimeout\": 0,\n\u00a0 \u00a0 \"terminationAction\": \"\",\n\u00a0 \u00a0 \"tunnelPrivateGroupId\": \"\",\n\u00a0 \u00a0 \"aristaPeriodicIdentity\": \"\",\n\u00a0 \u00a0 \"cachedAuthAtLinkDown\": false,\n\u00a0 \u00a0 \"reauthTimeoutSeen\": false,\n\u00a0 \u00a0 \"sessionCached\": false,\n\u00a0 \u00a0 \"detail_\": true\n}\n\n\n\u00a0\n\nThe above example is before ASU. Note that the \u201cnasFilterRules\u201d has 5 rules in it.\n\nWhen ASU is performed:\n\nswitch#show dot1x hosts mac 0001.0203.0405 detail | json\n{\n\u00a0 \u00a0 \"supplicantMac\": \"00:01:02:03:04:05\",\n\u00a0 \u00a0 \"identity\": \"user3\",\n\u00a0 \u00a0 \"interface\": \"Ethernet3/47\",\n\u00a0 \u00a0 \"authMethod\": \"EAPOL\",\n\u00a0 \u00a0 \"authStage\": \"SUCCESS\",\n\u00a0 \u00a0 \"fallback\": \"NONE\",\n\u00a0 \u00a0 \"callingStationId\": \"00-01-02-03-04-05\",\n\u00a0 \u00a0 \"reauthBehavior\": \"DO-NOT-RE-AUTH\",\n\u00a0 \u00a0 \"reauthInterval\": 0,\n\u00a0 \u00a0 \"cacheConfTime\": 0,\n\u00a0 \u00a0 \"vlanId\": \"202\",\n\u00a0 \u00a0 \"accountingSessionId\": \"\",\n\u00a0 \u00a0 \"captivePortal\": \"\",\n\u00a0 \u00a0 \"captivePortalSource\": \"\",\n\u00a0 \u00a0 \"aristaWebAuth\": \"\",\n\u00a0 \u00a0 \"supplicantClass\": \"\",\n\u00a0 \u00a0 \"filterId\": \"\",\n\u00a0 \u00a0 \"framedIpAddress\": \"0.0.0.0\",\n\u00a0 \u00a0 \"framedIpAddrSource\": \"sourceNone\",\n \"nasFilterRules\": [\n\u00a0 \u00a0 \u00a0 \u00a0 \"deny in ip from 10.1.0.0/16 to 20.1.0.0/16\"\n ],\n\u00a0 \u00a0 \"sessionTimeout\": 0,\n\u00a0 \u00a0 \"terminationAction\": \"\",\n\u00a0 \u00a0 \"tunnelPrivateGroupId\": \"\",\n\u00a0 \u00a0 \"aristaPeriodicIdentity\": \"\",\n\u00a0 \u00a0 \"cachedAuthAtLinkDown\": false,\n\u00a0 \u00a0 \"reauthTimeoutSeen\": false,\n\u00a0 \u00a0 \"sessionCached\": false,\n\u00a0 \u00a0 \"detail_\": true\n}\n\n\nThe above example is after ASU. Note the nasFilterRule is now only one line. \n\nNote: This symptom is not present when a non-ASU upgrade (i.e. standard reboot) takes place."
|
|
}
|
|
],
|
|
"work_around": [
|
|
{
|
|
"lang": "en",
|
|
"supportingMedia": [
|
|
{
|
|
"base64": false,
|
|
"type": "text/html",
|
|
"value": "<p>The workaround is to re-authenticate each supplicant. This can be done by running the command \u201c<b>dot1x re-authenticate</b>\u201d on the interface post ASU. Alternatively, if the reauthentication timer is enabled, the ACL will be correctly reprogrammed once the timer has expired and re-authentication occurs. </p><pre>switch(Ethernet 1)#dot1x re-authenticate\n</pre><div> </div><p>Alternatively, flapping the interface will trigger reauthentication of the supplicants and correct the ACL which is installed for each mac on that interface.</p><pre>switch(Ethernet 1)#shut\nswitch(Ethernet 1)#no shut\n</pre><div> </div><p>In both cases mentioned, we can verify that reauth has been triggered by checking the output of `<b>show logging</b>` to show the supplicant has been successfully authenticated and `<b>show ip access-lists</b>` to verify the ACL is installed correctly. </p><pre>switch(Ethernet 1)#show logging\nAug 24 07:12:05 switch Dot1x: DOT1X-6-SUPPLICANT_AUTHENTICATED: Supplicant with identity 00:01:02:03:04:05, MAC 0001.0203.0405 and dynamic VLAN None successfully authenticated on port Ethernet1.\n \nswitch#show ip access-lists\nPhone ACL bypass: disabled\nIP Access List 802.1x-3212953518000 [dynamic]\n 10 deny ip 10.1.0.0/16 20.1.0.0/16\n 20 permit ip from 11.0.0.0/8 to 12.0.0.0/8\n 30 permit tcp any any eq 80\n 40 permit tcp any any eq 443\n 50 deny ip host 192.168.1.100\n \n Total rules configured: 5\n \nswitch#show dot1x hosts mac 0001.203.0405 detail | json\n{\n \"supplicantMac\": \"00:01:02:03:04:05\",\n \"identity\": \"user3\",\n \"interface\": \"Ethernet3/47\",\n \"authMethod\": \"EAPOL\",\n \"authStage\": \"SUCCESS\",\n \"fallback\": \"NONE\",\n \"callingStationId\": \"00:01:02:03:04:05\",\n \"reauthBehavior\": \"DO-NOT-RE-AUTH\",\n \"reauthInterval\": 0,\n \"cacheConfTime\": 0,\n \"vlanId\": \"202\",\n \"accountingSessionId\": \"\",\n \"captivePortal\": \"\",\n \"captivePortalSource\": \"\",\n \"aristaWebAuth\": \"\",\n \"supplicantClass\": \"\",\n \"filterId\": \"\",\n \"framedIpAddress\": \"0.0.0.0\",\n \"framedIpAddrSource\": \"sourceNone\",\n <span style=\"background-color: rgb(255, 255, 0);\">\"nasFilterRules\": [\n \"deny in ip from 10.1.0.0/16 to 20.1.0.0/16\",\n \"permit in ip from 11.0.0.0/8 to 12.0.0.0/8\",\n \"permit tcp any any eq 80\",\n \"permit tcp any any eq 443\",\n \u201cdeny ip host 192.168.1.100\"\n ],</span>\n \"sessionTimeout\": 0,\n \"terminationAction\": \"\",\n \"tunnelPrivateGroupId\": \"\",\n \"aristaPeriodicIdentity\": \"\",\n \"cachedAuthAtLinkDown\": false,\n \"reauthTimeoutSeen\": false,\n \"sessionCached\": false,\n \"detail_\": true\n}</pre><p>In the above example the supplicant has been re-authenticated and the nasFilterRules shows 5 rules, as before.</p><br>"
|
|
}
|
|
],
|
|
"value": "The workaround is to re-authenticate each supplicant. This can be done by running the command \u201cdot1x re-authenticate\u201d on the interface post ASU. Alternatively, if the reauthentication timer is enabled, the ACL will be correctly reprogrammed once the timer has expired and re-authentication occurs. \n\nswitch(Ethernet 1)#dot1x re-authenticate\n\n\n\u00a0\n\nAlternatively, flapping the interface will trigger reauthentication of the supplicants and correct the ACL which is installed for each mac on that interface.\n\nswitch(Ethernet 1)#shut\nswitch(Ethernet 1)#no shut\n\n\n\u00a0\n\nIn both cases mentioned, we can verify that reauth has been triggered by checking the output of `show logging` to show the supplicant has been successfully authenticated and `show ip access-lists` to verify the ACL is installed correctly. \n\nswitch(Ethernet 1)#show logging\nAug 24 07:12:05 switch Dot1x: DOT1X-6-SUPPLICANT_AUTHENTICATED: Supplicant with identity 00:01:02:03:04:05, MAC 0001.0203.0405 and dynamic VLAN None successfully authenticated on port Ethernet1.\n \nswitch#show ip access-lists\nPhone ACL bypass: disabled\nIP Access List 802.1x-3212953518000 [dynamic]\n\u00a0 \u00a0 \u00a0 \u00a0 10 deny ip 10.1.0.0/16 20.1.0.0/16\n \u00a0 \u00a020 permit ip from 11.0.0.0/8 to 12.0.0.0/8\n\u00a0 \u00a0 \u00a0 \u00a0 30 permit tcp any any eq 80\n\u00a0 \u00a0 \u00a0 \u00a0 40 permit tcp any any eq 443\n\u00a0 \u00a0 \u00a0 \u00a0 50 deny ip host 192.168.1.100\n \n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 5\n \nswitch#show dot1x hosts mac 0001.203.0405 detail | json\n{\n\u00a0 \u00a0 \"supplicantMac\": \"00:01:02:03:04:05\",\n\u00a0 \u00a0 \"identity\": \"user3\",\n\u00a0 \u00a0 \"interface\": \"Ethernet3/47\",\n\u00a0 \u00a0 \"authMethod\": \"EAPOL\",\n\u00a0 \u00a0 \"authStage\": \"SUCCESS\",\n\u00a0 \u00a0 \"fallback\": \"NONE\",\n\u00a0 \u00a0 \"callingStationId\": \"00:01:02:03:04:05\",\n\u00a0 \u00a0 \"reauthBehavior\": \"DO-NOT-RE-AUTH\",\n\u00a0 \u00a0 \"reauthInterval\": 0,\n\u00a0 \u00a0 \"cacheConfTime\": 0,\n\u00a0 \u00a0 \"vlanId\": \"202\",\n\u00a0 \u00a0 \"accountingSessionId\": \"\",\n\u00a0 \u00a0 \"captivePortal\": \"\",\n\u00a0 \u00a0 \"captivePortalSource\": \"\",\n\u00a0 \u00a0 \"aristaWebAuth\": \"\",\n\u00a0 \u00a0 \"supplicantClass\": \"\",\n\u00a0 \u00a0 \"filterId\": \"\",\n\u00a0 \u00a0 \"framedIpAddress\": \"0.0.0.0\",\n\u00a0 \u00a0 \"framedIpAddrSource\": \"sourceNone\",\n\u00a0 \u00a0 \"nasFilterRules\": [\n\u00a0 \u00a0 \u00a0 \u00a0 \"deny in ip from 10.1.0.0/16 to 20.1.0.0/16\",\n\u00a0 \u00a0 \u00a0 \u00a0 \"permit in ip from 11.0.0.0/8 to 12.0.0.0/8\",\n\u00a0 \u00a0 \u00a0 \u00a0 \"permit tcp any any eq 80\",\n\u00a0 \u00a0 \u00a0 \u00a0 \"permit tcp any any eq 443\",\n\u00a0 \u00a0 \u00a0 \u00a0 \u201cdeny ip host 192.168.1.100\"\n\u00a0 \u00a0 ],\n\u00a0 \u00a0 \"sessionTimeout\": 0,\n\u00a0 \u00a0 \"terminationAction\": \"\",\n\u00a0 \u00a0 \"tunnelPrivateGroupId\": \"\",\n\u00a0 \u00a0 \"aristaPeriodicIdentity\": \"\",\n\u00a0 \u00a0 \"cachedAuthAtLinkDown\": false,\n\u00a0 \u00a0 \"reauthTimeoutSeen\": false,\n\u00a0 \u00a0 \"sessionCached\": false,\n\u00a0 \u00a0 \"detail_\": true\n}\n\nIn the above example the supplicant has been re-authenticated and the nasFilterRules shows 5 rules, as before."
|
|
}
|
|
],
|
|
"solution": [
|
|
{
|
|
"lang": "en",
|
|
"supportingMedia": [
|
|
{
|
|
"base64": false,
|
|
"type": "text/html",
|
|
"value": "<p>The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\">EOS User Manual: Upgrades and Downgrades</a>. </p><div> </div><div>CVE-2024-8000 has been fixed in the following releases:</div><ul><li>4.33.0M and above</li><li>4.32.5M and above releases in the 4.32.x train</li><li>4.31.6M and above releases in the 4.31.x train</li><li>4.30.9M and above releases in the 4.30.x train</li></ul><br>"
|
|
}
|
|
],
|
|
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades . \n\n\u00a0\n\nCVE-2024-8000 has been fixed in the following releases:\n\n * 4.33.0M and above\n * 4.32.5M and above releases in the 4.32.x train\n * 4.31.6M and above releases in the 4.31.x train\n * 4.30.9M and above releases in the 4.30.x train"
|
|
}
|
|
],
|
|
"impact": {
|
|
"cvss": [
|
|
{
|
|
"attackComplexity": "HIGH",
|
|
"attackVector": "ADJACENT_NETWORK",
|
|
"availabilityImpact": "NONE",
|
|
"baseScore": 5.3,
|
|
"baseSeverity": "MEDIUM",
|
|
"confidentialityImpact": "NONE",
|
|
"integrityImpact": "HIGH",
|
|
"privilegesRequired": "NONE",
|
|
"scope": "UNCHANGED",
|
|
"userInteraction": "NONE",
|
|
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
|
|
"version": "3.1"
|
|
}
|
|
]
|
|
}
|
|
} |