CVE-2023-24512 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2023-24512?

CVE-2023-24512 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated attackers with gNMI access to modify arbitrary configurations on Arista EOS switches when the Streaming Telemetry Agent (TerminAttr) is enabled with gNMI configured. This affects Arista EOS users who have enabled gNMI over the Streaming Telemetry Agent, typically when streaming to third-party systems (not the default CloudVision configuration).

📋 TL;DR

This vulnerability allows authenticated attackers with gNMI access to modify arbitrary configurations on Arista EOS switches when the Streaming Telemetry Agent (TerminAttr) is enabled with gNMI configured. This affects Arista EOS users who have enabled gNMI over the Streaming Telemetry Agent, typically when streaming to third-party systems (not the default CloudVision configuration).

💻 Affected Systems

Products:

Arista EOS

Versions: All versions prior to the fixed releases

Operating Systems: Arista EOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when Streaming Telemetry Agent (TerminAttr) is enabled with gNMI access configured. Not vulnerable in default CloudVision streaming configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network compromise through unauthorized configuration changes, including routing manipulation, access control bypass, or denial of service.

🟠

Likely Case

Unauthorized configuration changes leading to network instability, data leakage, or privilege escalation.

🟢

If Mitigated

Limited impact if proper access controls and network segmentation are implemented.

🌐 Internet-Facing: MEDIUM - Requires gNMI access to be exposed externally, which is not typical default configuration.

🏢 Internal Only: HIGH - Internal attackers with gNMI access can exploit this vulnerability to modify switch configurations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated gNMI access. Exploitation involves crafting specific gNMI requests to modify configurations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Arista security advisory for specific fixed versions per platform

Vendor Advisory: https://www.arista.com/en/support/advisories-notices/security-advisory/17250-security-advisory-0086

Restart Required: Yes

Instructions:

1. Review Arista security advisory for fixed versions. 2. Upgrade affected EOS versions to patched releases. 3. Restart switches after upgrade.

🔧 Temporary Workarounds

Disable gNMI on Streaming Telemetry Agent

all

Remove gNMI configuration from the TerminAttr agent if not required for operations.

configure terminal
no daemon TerminAttr
no management api gnmi

Restrict gNMI Access

all

Implement strict access controls and network segmentation for gNMI endpoints.

configure terminal
management api gnmi
shutdown
no shutdown vrf management

🧯 If You Can't Patch

Disable gNMI access on Streaming Telemetry Agent if not required
Implement strict network segmentation and access controls for gNMI endpoints

🔍 How to Verify

Check if Vulnerable:

Check if TerminAttr agent is enabled with gNMI configuration using 'show running-config | include TerminAttr' and 'show management api gnmi'

Check Version:

show version

Verify Fix Applied:

Verify EOS version is patched using 'show version' and confirm gNMI configuration is properly secured

📡 Detection & Monitoring

Log Indicators:

Unauthorized gNMI configuration change attempts
Unexpected configuration modifications via gNMI

Network Indicators:

Unusual gNMI traffic patterns
Configuration changes from unauthorized sources

SIEM Query:

source="arista-switch" AND ("gnmi" OR "TerminAttr") AND ("config" OR "set")

📊 Metadata

CVE ID: CVE-2023-24512

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-284

Published: April 25, 2023

Last Updated: November 21, 2024

🔗 References

https://www.arista.com/en/support/advisories-notices/security-advisory/17250-security-advisory-0086 Exploit,Mitigation,Vendor Advisory
https://www.arista.com/en/support/advisories-notices/security-advisory/17250-security-advisory-0086 Exploit,Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24512, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Ceos Lab by Arista

Cloudeos by Arista

Eos by Arista

Eos by Arista

Eos by Arista

Eos by Arista

Veos Lab by Arista

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable gNMI on Streaming Telemetry Agent

Restrict gNMI Access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities