CVE-2024-6437
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
Summary
On affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy – certain IP traffic such as IPv4 packets with IP options may bypass the feature's set nexthop action and be slow-path forwarded (FIB routed) by the kernel as the packets are trapped to the CPU instead of following the redirect action's destination.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Arista Networks | EOS-Policy Based Routing (PBR) | 4.32.0F <= 4.32.1F | affected |
| Arista Networks | EOS-Policy Based Routing (PBR) | 4.31.0M <= 4.31.4M | affected |
| Arista Networks | EOS-Policy Based Routing (PBR) | 4.30.0M <= 4.30.7M | affected |
| Arista Networks | EOS-Policy Based Routing (PBR) | 4.29.0M <= 4.29.9M | affected |
| Arista Networks | EOS-Policy Based Routing (PBR) | 4.28.0M <= 4.28.11M | affected |
| Arista Networks | EOS-Policy Based Routing (PBR) | 4.27.0M <= 4.27.12M | affected |
| Arista Networks | EOS-Policy Based Routing (PBR) | 4.26.0M <= 4.26.14M | affected |
| Arista Networks | EOS-Policy Based Routing (PBR) | 4.25.0M <= 4.25.11M | affected |
| Arista Networks | EOS-Policy Based Routing (PBR) | 4.24.0M <= 4.24.11M | affected |
| Arista Networks | EOS-Policy Based Routing (PBR) | 4.23.0M <= 4.23.15M | affected |
| Arista Networks | EOS-Policy Based Routing (PBR) | 4.22.0M <= 4.22.13M | affected |
| Arista Networks | EOS-Policy Based Routing (PBR) | 4.21.0M <= 4.21.15M | affected |
| Arista Networks | EOS - BGP Flowspec | 4.32.0F <= 4.32.1F | affected |
| Arista Networks | EOS - BGP Flowspec | 4.31.0M <= 4.31.4M | affected |
| Arista Networks | EOS - BGP Flowspec | 4.30.0M <= 4.30.7M | affected |
| Arista Networks | EOS - BGP Flowspec | 4.29.0M <= 4.29.9M | affected |
| Arista Networks | EOS - BGP Flowspec | 4.28.0M <= 4.28.11M | affected |
| Arista Networks | EOS - BGP Flowspec | 4.27.0M <= 4.27.12M | affected |
| Arista Networks | EOS - BGP Flowspec | 4.26.0M <= 4.26.14M | affected |
| Arista Networks | EOS - BGP Flowspec | 4.25.0M <= 4.25.11M | affected |
| Arista Networks | EOS - BGP Flowspec | 4.24.0M <= 4.24.11M | affected |
| Arista Networks | EOS - BGP Flowspec | 4.23.0M <= 4.23.15M | affected |
| Arista Networks | EOS - BGP Flowspec | 4.22.0M <= 4.22.13M | affected |
| Arista Networks | EOS - BGP Flowspec | 4.21.3F <= 4.21.15M | affected |
| Arista Networks | EOS - Interface Traffic Policy | 4.32.0F <= 4.32.1F | affected |
| Arista Networks | EOS - Interface Traffic Policy | 4.31.0M <= 4.31.4M | affected |
| Arista Networks | EOS - Interface Traffic Policy | 4.30.0M <= 4.30.7M | affected |
| Arista Networks | EOS - Interface Traffic Policy | 4.29.0M <= 4.29.9M | affected |
| Arista Networks | EOS - Interface Traffic Policy | 4.28.0M <= 4.28.11M | affected |
| Arista Networks | EOS - Interface Traffic Policy | 4.27.2F <= 4.27.12F | affected |
Weaknesses
- cwe-1220
Workarounds
For all affected systems, the suggested mitigation for all three affected features is to drop all IPv4 options traffic via the ip software forwarding options action drop, available in 4.32.2F and later releases in the 4.32 train, 4.31.5M and later releases in the 4.31 train, and 4.30.8M and later releases in the 4.30 train. The command installs an iptables rule that drops all IPv4 options traffic in the filter table of the FORWARD chain.
switch(config)#ip software forwarding options action drop
Below is shown to illustrate what the rule does. This is not a command that needs to be run.
switch(config)#bash sudo iptables -vnL EOS_FORWARD Chain EOS_FORWARD (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 u32 ! "0x0>>0x18=0x45" 0 0 REJECT all – * fwd+ 0.0.0.0/0 0.0.0.0/0 u32 ! "0x0>>0x18=0x45" reject-with icmp-admin-prohibited 0 0 DROP all – * ma+ 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all – * * !127.0.0.0/8 !127.0.0.0/8
Additionally, in 7280R3, 7500R3, and 7800R3 systems, the system-rule overriding-action redirect command (present in EOS-4.28.0F and newer releases) can be used to allow for all of the affected features' set nexthop action to take precedence over the system ACL's trap action to CPU. See TCAM redirect action overriding system rules - TOI https://www.arista.com/en/support/toi/eos-4-28-0f/15280-tcam-redirect-action-overriding-system-rules for more information.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.