CVE-2024-7142

Summary

On Arista CloudVision Appliance (CVA) affected releases running on appliances that support hardware disk encryption (DCA-350E-CV only), the disk encryption might not be successfully performed. This results in the disks remaining unsecured and data on them

Affected Software

VendorProductVersion RangeStatus
Arista NetworksCloudVision Appliance5.0.2affected
Arista NetworksCloudVision Appliance6.0.0 <= 6.0.6affected

Weaknesses

  • CWE-311: CWE-311

Workarounds

To manually fix the issue on a vulnerable system determined by following the steps depicted in the Determining a vulnerable device https://www.arista.com/en/support/advisories-notices/security-advisory/20405-security-advisory-0104#pageLink-2  section, run the following commands to enable the encryption of the virtual disks. The FQDD of the RAID controller(s) and virtual disks will be needed for this mitigation. See the Preliminary steps https://www.arista.com/en/support/advisories-notices/security-advisory/20405-security-advisory-0104#pageLink-3  section on how to retrieve them. Note as the security key was set before on this vulnerable system, it is not needed to set it again here. Please see the Caveats https://www.arista.com/en/support/advisories-notices/security-advisory/20405-security-advisory-0104#pageLink-4  section for more information.

Generally, the overall process takes up to 10 minutes. The performance of a running system is not expected to degrade when the following steps are carried out.

  • Encrypt all virtual disks that belong to the RAID controller by running the following command for each of them: racadm storage encryptvd:<virtual drive FQDD>

 

  • Create the job for the RAID controller and monitor its progress: racadm jobqueue create <RAID controller FQDD> –realtime

 

This command must return the scheduled configuration job ID in its output. Look for Commit JID = JID_xxxxx in the output. Then check the status of this job with racadm jobqueue view -i <jobId>. It will take up to 10 minutes to complete. 

  • After the job is complete, run the following command to see if all the virtual disks are encrypted. racadm storage get vdisks –refkey <RAID controller FQDD> -o

The output should show Secured = YES against each one of them.

The following is an example of the aforementioned steps.

[root@cv ~]# racadm storage encryptvd:Disk.Virtual.238:RAID.SL.3-1 STOR094 : The storage configuration operation is successfully completed and the change is in pending state. <–snip—->

[root@cv ~]# racadm jobqueue create RAID.SL.3-1 –realtime RAC1024: Successfully scheduled a job. Verify the job status using "racadm jobqueue view -i JID_xxxxx" command. Commit JID = JID_218438865303

[root@cv ~]# racadm jobqueue view -i JID_218438865303 —————————- JOB ————————- [Job ID=JID_218438865303] Job Name=Configure: RAID.SL.3-1 Status=Running <–snip—-> Percent Complete=[1]

[root@cv ~]# racadm jobqueue view -i JID_218438865303 —————————- JOB ————————- [Job ID=JID_218438865303] Job Name=Configure: RAID.SL.3-1 Status=Completed <–snip—-> Percent Complete=[100]

[root@cv ~]# racadm storage get vdisks –refkey RAID.SL.3-1 -o

Disk.Virtual.238:RAID.SL.3-1    Status                               = Ok    DeviceDescription                   = Virtual Disk 238 on RAID Controller in SL 3    Name                                 = os <–snip—->    Secured                             = YES <–snip—->     Disk.Virtual.239:RAID.SL.3-1    Status                               = Ok    DeviceDescription                   = Virtual Disk 239 on RAID Controller in SL 3    Name                                 = data <–snip—->    Secured                             = YES <–snip—->

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References