CVE-2024-11186

Summary

On affected versions of the CloudVision Portal, improper access controls could enable a malicious authenticated user to take broader actions on managed EOS devices than intended. This advisory impacts the Arista CloudVision Portal products when run on-premise. It does not impact CloudVision as-a-Service.

Affected Software

VendorProductVersion RangeStatus
Arista NetworksCloudVision Portal2024.3.0affected
Arista NetworksCloudVision Portal2024.2.0 <= 2024.2.1affected
Arista NetworksCloudVision Portal2024.1.0 <= 2024.1.2affected
Arista NetworksCloudVision Portal2023.3affected
Arista NetworksCloudVision Portal2023.2affected
Arista NetworksCloudVision Portal2023.1affected
Arista NetworksCloudVision Portal2022.3affected
Arista NetworksCloudVision Portal2022.2affected
Arista NetworksCloudVision Portal2022.1affected
Arista NetworksCloudVision Portal2021.3affected
Arista NetworksCloudVision Portal2021.2affected
Arista NetworksCloudVision Portal2021.1affected
Arista NetworksCloudVision Portal2020.3affected
Arista NetworksCloudVision Portal2020.2affected
Arista NetworksCloudVision Portal2020.1affected
Arista NetworksCloudVision Portal2019.1affected
Arista NetworksCloudVision Portal2018.2affected
Arista NetworksCloudVision Portal2018.1affected
Arista NetworksCloudVision Portal2017.2affected

Weaknesses

  • CWE-287: CWE-287 Improper Authentication

Workarounds

The workaround is to append the following to /etc/nginx/conf.d/locations/cvp.https.conf on all CVP nodes:

location ^~ /cvpservice/di/ { return 404; }

 

Then restart nginx by running the following command on any node:

nginx-app.sh reload

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References