CVE-2023-24510
📋 TL;DR
This vulnerability in Arista EOS DHCP relay agent allows an attacker to cause a denial of service by sending a malformed DHCP packet, leading to the agent restarting. It affects Arista switches and routers running vulnerable EOS versions, potentially disrupting network services.
💻 Affected Systems
- Arista switches and routers with DHCP relay functionality
📦 What is this software?
Eos by Arista
Eos by Arista
Eos by Arista
Eos by Arista
Eos by Arista
⚠️ Risk & Real-World Impact
Worst Case
Repeated exploitation could cause persistent DHCP relay failures, leading to network outages and service disruption for DHCP-dependent devices.
Likely Case
Intermittent DHCP relay restarts causing temporary loss of DHCP services, resulting in devices failing to obtain IP addresses.
If Mitigated
With proper network segmentation and access controls, impact is limited to isolated network segments, minimizing overall disruption.
🎯 Exploit Status
Exploitation requires sending a malformed DHCP packet to the DHCP relay agent, which is straightforward if network access is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Arista advisory for specific fixed EOS versions
Vendor Advisory: https://www.arista.com/en/support/advisories-notices/security-advisory/17445-security-advisory-0087
Restart Required: Yes
Instructions:
1. Review the Arista advisory to identify the fixed EOS version for your hardware. 2. Download and install the patched EOS version from Arista support. 3. Reboot the device to apply the update. 4. Verify the update using version check commands.
🔧 Temporary Workarounds
Disable DHCP relay
allTemporarily disable the DHCP relay agent to prevent exploitation, but this will break DHCP services for relayed networks.
configure terminal
no ip dhcp relay
🧯 If You Can't Patch
- Implement network segmentation to restrict access to DHCP relay agents from untrusted networks.
- Use ACLs to block malformed DHCP packets at network boundaries or on affected devices.
🔍 How to Verify
Check if Vulnerable:
Check the EOS version on Arista devices; if it is prior to the fixed versions listed in the advisory and DHCP relay is enabled, the device is vulnerable.Check Version:
show version | include Software image versionVerify Fix Applied:
After patching, confirm the EOS version is updated to a fixed release and test DHCP relay functionality to ensure it operates without restarting under normal traffic.📡 Detection & Monitoring
Log Indicators:
- Log entries indicating DHCP relay agent restarts or crashes in system logs
Network Indicators:
- Unusual DHCP packet patterns or spikes in DHCP traffic to relay agents
SIEM Query:
Example: 'source="arista-device" AND (event="dhcp_relay_restart" OR event="process_crash")'