CVE-2025-5088
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Summary
An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Arista Networks | EOS / CloudVision eXchange (CVX) | 4.34.0F <= 4.34.1F | affected |
| Arista Networks | EOS / CloudVision eXchange (CVX) | 4.33.0M <= 4.33.4M | affected |
| Arista Networks | EOS / CloudVision eXchange (CVX) | 4.32.0M <= 4.32.6M | affected |
| Arista Networks | EOS / CloudVision eXchange (CVX) | 4.31.0M <= 4.31.8M | affected |
| Arista Networks | EOS / CloudVision eXchange (CVX) | 4.30.0 < 4.31.0 | affected |
Weaknesses
- CWE-269: CWE-269: Improper Privilege Management
Workarounds
To run the redis-server as a dedicated "redis" user and group on the CVX server, follow these steps, ensuring all changes are applied correctly and the service restarts smoothly. This approach enhances security by isolating the Redis process with its own user and group permissions.
Please ensure that these mitigation steps are tested thoroughly in a non-production environment prior to production deployment.
Log in to the CVX Server
Access your CVX server (e.g. using SSH) using the appropriate credentials. This is the initial point of access for all subsequent configuration changes.
Stop Redis Before Applying Changes
It is crucial to stop Redis to prevent data corruption or conflicts while modifying its configuration. This is achieved by unconfiguring the Redis password on the MCS service.
Executing no redis password stops the Redis service by removing its authentication credentials, which prevents it from running.
cvx>enable cvx#config cvx(config)#cvx cvx(config-cvx)#service mcs cvx(config-cvx-mcs)#no redis password cvx(config-cvx-mcs)#
Edit the redis.service Systemd Service File
This step involves modifying the systemd service file for Redis to specify the dedicated user and group under which Redis will run.
First, transition to bash mode from the CVX configuration prompt:
cvx(config-cvx-mcs)#bash
Once in bash, use sudo nano to edit the redis.service file:
[cvx ~]$sudo nano /etc/systemd/system/redis.service
Add 'User' and 'Group' Directives to the [Service] Section
Within the redis.service file, locate the [Service] section and add the following lines:
[Service] User=redis Group=redis
This modification ensures that when the redis-server starts, it will execute under the context of the redis user and redis group, thereby enforcing stricter access controls and enhancing system security.
Save and exit the editor.
Change Ownership of the Redis Log File
To ensure the redis user has appropriate write permissions for its log file, change the ownership of /var/log/redis/redis.log to the redis user and group.
[cvx ~]$sudo chown redis:redis /var/log/redis/redis.log
This step is required for the Redis server to be able to write logs once it restarts under the new user and group.
Restart the Redis with New Changes
After making all necessary modifications, restart the Redis to apply the new configuration. This is done by reconfiguring the Redis password, which will bring the service back online.
First, exit bash mode:
[cvx ~]$exit
Then, reconfigure the Redis password:
cvx(config-cvx-mcs)#redis password <secret>
Replace <secret> with your actual Redis password. This action will re-enable the Redis, and it will now run with the specified redis user and redis group.
NOTE: Following a CVX server reload or power cycle, all previously mentioned steps must be repeated.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.