CVE-2024-47517
📋 TL;DR
This vulnerability allows attackers to obtain expired administrator authentication tokens from network devices that have timed out from ETM (Embedded Test and Management) access. This affects Arista network devices running vulnerable software versions. Attackers could potentially use these tokens to gain unauthorized administrative access.
💻 Affected Systems
- Arista EOS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain valid administrator tokens and gain full administrative control over network devices, enabling network disruption, data interception, or lateral movement.
Likely Case
Attackers obtain expired tokens that may be used for limited unauthorized access or reconnaissance before token expiration is enforced.
If Mitigated
With proper network segmentation and access controls, impact is limited to isolated network segments with minimal exposure.
🎯 Exploit Status
Requires network access to affected devices and knowledge of ETM timeout behavior. No public exploits known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Arista advisory for specific fixed versions
Vendor Advisory: https://www.arista.com/en/support/advisories-notices/security-advisory/20454-security-advisory-0105
Restart Required: Yes
Instructions:
1. Review Arista advisory for affected versions. 2. Upgrade to fixed EOS versions. 3. Apply configuration changes if required. 4. Restart affected services or devices.
🔧 Temporary Workarounds
Disable ETM Access
allDisable Embedded Test and Management access on affected devices
configure terminal
no management api http-commands
write memory
Reduce ETM Timeout
allConfigure shorter timeout periods for ETM sessions
configure terminal
management api http-commands
timeout 300
write memory
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected devices
- Enable detailed logging and monitoring for authentication token usage
🔍 How to Verify
Check if Vulnerable:
Check EOS version with 'show version' and compare against affected versions in Arista advisoryCheck Version:
show version | include Software image versionVerify Fix Applied:
Verify upgraded version with 'show version' and test ETM token behavior📡 Detection & Monitoring
Log Indicators:
- Unexpected authentication token usage
- Multiple failed login attempts followed by token access
- ETM session timeouts with subsequent authentication events
Network Indicators:
- Unusual authentication traffic to management interfaces
- Token reuse from different source IPs
SIEM Query:
source="arista" AND (event_type="authentication" OR event_type="token") AND (action="timeout" OR action="expired")