CVE-2024-8100
8.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Summary
On affected versions of the Arista CloudVision Portal (CVP on-prem), the time-bound device onboarding token can be used to gain admin privileges on CloudVision.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Arista Networks | CloudVision | 2024.3.0 | affected |
| Arista Networks | CloudVision | 2024.0 <= 2024.2 | affected |
| Arista Networks | CloudVision | 2023.3.0 <= 2023.3.1 | affected |
| Arista Networks | CloudVision | 2023.0 <= 2023.2 | affected |
| Arista Networks | CloudVision | 2022 | affected |
| Arista Networks | CloudVision | 2021 | affected |
| Arista Networks | CloudVision | 2020 | affected |
| Arista Networks | CloudVision | 2019 | affected |
| Arista Networks | CloudVision | 2018 | affected |
Weaknesses
- CWE-269: CWE-269 Improper Privilege Management
Workarounds
Best practice is for generated device onboarding tokens to be valid for a limited time duration, and for the Device Onboarding permission which allows the generation of these tokens to only be granted to trusted users.
Successful exploit generally requires one of the following:
- A rogue or compromised internal user with Device enrollment read/write permissions OR,
- A valid device onboarding token that is easily accessible beyond the expected set of trusted users If all users with Device Onboarding privileges are trusted, and onboarding tokens are properly secured, then the risk of this issue is limited.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.