CVE-2024-12830
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to execute arbitrary code on Arista NG Firewall systems via directory traversal in the custom_handler method. Attackers can exploit improper path validation to access files outside intended directories and execute code as the www-data user. All affected Arista NG Firewall installations are vulnerable without requiring authentication.
💻 Affected Systems
- Arista NG Firewall
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, install persistent backdoors, pivot to internal networks, and exfiltrate sensitive data.
Likely Case
Remote code execution leading to web shell installation, credential theft, lateral movement within the network, and potential ransomware deployment.
If Mitigated
Limited impact with proper network segmentation, but still allows code execution on the firewall itself.
🎯 Exploit Status
No authentication required, simple directory traversal technique. ZDI has confirmed the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Arista security advisory for specific patched versions
Vendor Advisory: https://www.arista.com/en/support/advisories-notices/security-advisories
Restart Required: Yes
Instructions:
1. Check current Arista NG Firewall version. 2. Download and apply latest security patch from Arista support portal. 3. Restart firewall services or reboot system. 4. Verify patch installation.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict access to firewall management interface to trusted IP addresses only
# Configure firewall rules to restrict access to management interface
# Example: iptables -A INPUT -p tcp --dport 443 -s trusted_ip -j ACCEPT
# iptables -A INPUT -p tcp --dport 443 -j DROP
Web Application Firewall Rules
allImplement WAF rules to block directory traversal patterns
# Configure WAF to block ../ patterns in URLs
# Example mod_security rule: SecRule ARGS "\.\./" "id:1001,phase:2,deny"
🧯 If You Can't Patch
- Isolate the firewall from internet access and restrict management interface to internal trusted networks only
- Implement strict network monitoring and alerting for any attempts to access custom_handler endpoints
🔍 How to Verify
Check if Vulnerable:
Check if custom_handler endpoint is accessible and test for directory traversal patterns. Review system logs for exploitation attempts.Check Version:
Check firewall web interface or CLI for version information. Consult Arista documentation for specific version check commands.Verify Fix Applied:
Verify patch version matches or exceeds vendor's recommended version. Test that directory traversal attempts are now properly blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing ../ patterns to custom_handler endpoints
- Unusual process execution by www-data user
- File access outside expected web directories
Network Indicators:
- HTTP requests with encoded directory traversal sequences
- Unusual outbound connections from firewall
SIEM Query:
source="firewall_logs" AND (uri="*custom_handler*" AND (uri="*../*" OR uri="*..%2f*" OR uri="*%2e%2e%2f*"))