Login Sign Up

CVE-2023-24545

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Arista CloudEOS allows attackers to cause denial of service by sending malformed packets that leak packet buffers. If enough malformed packets are received, the switch may eventually stop forwarding traffic. Only Arista CloudEOS platforms are affected.

💻 Affected Systems

Products:
  • Arista CloudEOS
Versions: All versions prior to the fixed release
Operating Systems: CloudEOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects platforms running Arista CloudEOS with the Software Forwarding Engine (Sfe) enabled.

📦 What is this software?

Cloudeos by Arista

View all CVEs affecting Cloudeos →

Cloudeos by Arista

View all CVEs affecting Cloudeos →

Cloudeos by Arista

View all CVEs affecting Cloudeos →

Cloudeos by Arista

View all CVEs affecting Cloudeos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network outage where the switch stops forwarding all traffic, disrupting all network communications through the affected device.

🟠

Likely Case

Degraded network performance and potential service disruption as packet buffers are exhausted, leading to packet loss and connectivity issues.

🟢

If Mitigated

Minimal impact with proper network segmentation, rate limiting, and monitoring in place to detect and block malformed packets.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted malformed packets to the vulnerable switch.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Arista advisory for specific fixed versions

Vendor Advisory: https://www.arista.com/en/support/advisories-notices/security-advisory/17240-security-advisory-0085

Restart Required: Yes

Instructions:

1. Review Arista security advisory 0085. 2. Download and install the patched version of CloudEOS. 3. Reboot the switch to apply the patch. 4. Verify the patch is applied correctly.

🔧 Temporary Workarounds

Network segmentation and filtering

all

Implement network segmentation and filtering to limit exposure to untrusted networks

Rate limiting

all

Configure rate limiting on ingress interfaces to limit potential packet flood

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate vulnerable switches from untrusted networks
  • Deploy network monitoring and intrusion detection systems to detect malformed packet attacks

🔍 How to Verify

Check if Vulnerable:

Check current CloudEOS version and compare against Arista's advisory for vulnerable versions

Check Version:

show version | include CloudEOS

Verify Fix Applied:

Verify the installed CloudEOS version matches or exceeds the patched version specified in the advisory

📡 Detection & Monitoring

Log Indicators:

  • Increased packet buffer allocation failures
  • Unusual packet drop rates
  • Sfe process errors or crashes

Network Indicators:

  • Unusual malformed packet traffic to switch management interfaces
  • Sudden increase in packet buffer usage

SIEM Query:

source="switch_logs" AND ("packet buffer" OR "Sfe" OR "malformed")

📊 Metadata

CVE ID: CVE-2023-24545
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Published: April 12, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24545, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)