CVE-2024-6437

Summary

On affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy – certain IP traffic such as IPv4 packets with IP options may bypass the feature's set nexthop action and be slow-path forwarded (FIB routed) by the kernel as the packets are trapped to the CPU instead of following the redirect action's destination.

Affected Software

VendorProductVersion RangeStatus
Arista NetworksEOS-Policy Based Routing (PBR)4.32.0F <= 4.32.1Faffected
Arista NetworksEOS-Policy Based Routing (PBR)4.31.0M <= 4.31.4Maffected
Arista NetworksEOS-Policy Based Routing (PBR)4.30.0M <= 4.30.7Maffected
Arista NetworksEOS-Policy Based Routing (PBR)4.29.0M <= 4.29.9Maffected
Arista NetworksEOS-Policy Based Routing (PBR)4.28.0M <= 4.28.11Maffected
Arista NetworksEOS-Policy Based Routing (PBR)4.27.0M <= 4.27.12Maffected
Arista NetworksEOS-Policy Based Routing (PBR)4.26.0M <= 4.26.14Maffected
Arista NetworksEOS-Policy Based Routing (PBR)4.25.0M <= 4.25.11Maffected
Arista NetworksEOS-Policy Based Routing (PBR)4.24.0M <= 4.24.11Maffected
Arista NetworksEOS-Policy Based Routing (PBR)4.23.0M <= 4.23.15Maffected
Arista NetworksEOS-Policy Based Routing (PBR)4.22.0M <= 4.22.13Maffected
Arista NetworksEOS-Policy Based Routing (PBR)4.21.0M <= 4.21.15Maffected
Arista NetworksEOS - BGP Flowspec4.32.0F <= 4.32.1Faffected
Arista NetworksEOS - BGP Flowspec4.31.0M <= 4.31.4Maffected
Arista NetworksEOS - BGP Flowspec4.30.0M <= 4.30.7Maffected
Arista NetworksEOS - BGP Flowspec4.29.0M <= 4.29.9Maffected
Arista NetworksEOS - BGP Flowspec4.28.0M <= 4.28.11Maffected
Arista NetworksEOS - BGP Flowspec4.27.0M <= 4.27.12Maffected
Arista NetworksEOS - BGP Flowspec4.26.0M <= 4.26.14Maffected
Arista NetworksEOS - BGP Flowspec4.25.0M <= 4.25.11Maffected
Arista NetworksEOS - BGP Flowspec4.24.0M <= 4.24.11Maffected
Arista NetworksEOS - BGP Flowspec4.23.0M <= 4.23.15Maffected
Arista NetworksEOS - BGP Flowspec4.22.0M <= 4.22.13Maffected
Arista NetworksEOS - BGP Flowspec4.21.3F <= 4.21.15Maffected
Arista NetworksEOS - Interface Traffic Policy4.32.0F <= 4.32.1Faffected
Arista NetworksEOS - Interface Traffic Policy4.31.0M <= 4.31.4Maffected
Arista NetworksEOS - Interface Traffic Policy4.30.0M <= 4.30.7Maffected
Arista NetworksEOS - Interface Traffic Policy4.29.0M <= 4.29.9Maffected
Arista NetworksEOS - Interface Traffic Policy4.28.0M <= 4.28.11Maffected
Arista NetworksEOS - Interface Traffic Policy4.27.2F <= 4.27.12Faffected

Weaknesses

  • cwe-1220

Workarounds

For all affected systems, the suggested mitigation for all three affected features is to drop all IPv4 options traffic via the ip software forwarding options action drop, available in 4.32.2F and later releases in the 4.32 train, 4.31.5M and later releases in the 4.31 train, and 4.30.8M and later releases in the 4.30 train. The command installs an iptables rule that drops all IPv4 options traffic in the filter table of the FORWARD chain.

switch(config)#ip software forwarding options action drop

Below is shown to illustrate what the rule does. This is not a command that needs to be run.

switch(config)#bash sudo iptables -vnL EOS_FORWARD Chain EOS_FORWARD (1 references)  pkts bytes target     prot opt in     out     source               destination     0     0 DROP       all – *     *       0.0.0.0/0           0.0.0.0/0           u32 ! "0x0>>0x18=0x45"     0     0 REJECT     all – *     fwd+   0.0.0.0/0           0.0.0.0/0           u32 ! "0x0>>0x18=0x45" reject-with icmp-admin-prohibited     0     0 DROP       all – *     ma+     0.0.0.0/0           0.0.0.0/0     0     0 ACCEPT     all – *     *     !127.0.0.0/8         !127.0.0.0/8

 

Additionally, in 7280R3, 7500R3, and 7800R3 systems, the system-rule overriding-action redirect command (present in EOS-4.28.0F and newer releases) can be used to allow for all of the affected features' set nexthop action to take precedence over the system ACL's trap action to CPU. See TCAM redirect action overriding system rules - TOI https://www.arista.com/en/support/toi/eos-4-28-0f/15280-tcam-redirect-action-overriding-system-rules  for more information.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References