{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-24509", "assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7", "assignerShortName": "Arista", "dateUpdated": "2025-02-07T15:42:09.265Z", "dateReserved": "2023-01-24T00:00:00.000Z", "datePublished": "2023-04-13T00:00:00.000Z"}, "containers": {"cna": {"title": "On affected modular platforms running Arista EOS equipped with both redundant supervisor modules and having the redundancy protocol configured with RPR or SSO, an existing unprivileged user can login to the standby supervisor as a root user, leading t ...", "datePublic": "2023-02-14T00:00:00.000Z", "providerMetadata": {"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7", "shortName": "Arista", "dateUpdated": "2023-04-13T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "On affected modular platforms running Arista EOS equipped with both redundant supervisor modules and having the redundancy protocol configured with RPR or SSO, an existing unprivileged user can login to the standby supervisor as a root user, leading to a privilege escalation. Valid user credentials are required in order to exploit this vulnerability."}], "affected": [{"vendor": "Arista Networks", "product": "Arista EOS", "versions": [{"version": "4.23.0 4.23.13M", "status": "affected"}, {"version": "4.28.0", "status": "affected", "lessThanOrEqual": "4.28.3M", "versionType": "custom"}, {"version": "4.27.0", "status": "affected", "lessThanOrEqual": "4.27.6M", "versionType": "custom"}, {"version": "4.286.0", "status": "affected", "lessThanOrEqual": "4.26.8M", "versionType": "custom"}, {"version": "4.25.0", "status": "affected", "lessThanOrEqual": "4.25.9M", "versionType": "custom"}, {"version": "4.24.0", "status": "affected", "lessThanOrEqual": "4.24.10M", "versionType": "custom"}]}], "references": [{"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/16985-security-advisory-0082"}], "credits": [{"lang": "en", "value": "Arista would like to acknowledge and thank Marc-Andr\u00e9 Labont\u00e9, Senior Information Security Analyst at Desjardins for responsibly reporting CVE-2023-24509."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-269 Improper Privilege Management", "cweId": "CWE-269"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"advisory": "82", "defect": ["723401"], "discovery": "EXTERNAL"}, "configurations": [{"lang": "en", "value": "In order to be vulnerable to CVE-2023-24509, the following conditions must be met:\n\nTwo supervisor modules must both be inserted and active. To determine the status of the supervisor modules,\n\nswitch#show module \nModule Ports Card Type Model Serial No.\n------- ----- ------------------------ ---------------- -----------\n1 3 DCS-7500-SUP2 Supervisor DCS-7500-SUP2 SSJ17133450\n2 2 Standby supervisor DCS-7500-SUP2 SSJ17133441\n \nModule Status Uptime Power off reason\n------- ------- ------- ----------------\n1 Active 0:24:58 N/A\n2 Standby 0:24:58 N/A\nSupervisor redundancy protocol must be configured with RPR(Route Processor Redundancy) or SSO (Stateful Switchover) on the switch. To determine the state and the current redundancy protocol of both supervisors on the switch,\n\nswitch#show redundancy status\n my state = ACTIVE\npeer state = STANDBY WARM\n Unit = Primary\n Unit ID = 1\n \nRedundancy Protocol (Operational) = Route Processor Redundancy\nRedundancy Protocol (Configured) = Route Processor Redundancy\nCommunications = Up\nReady for switchover\n \n Last switchover time = 7:23:56 ago\nLast switchover reason = Supervisor has control of the active supervisor lock"}], "workarounds": [{"lang": "en", "value": "The workaround is to disable \u201cssh\u201d CLI command in unprivileged mode on the SSH client devices by using command authorization. This can be done with Role-Based Access Control (RBAC).\n\nIf the \u201cssh\u201d CLI command is currently used to connect to a remote host, the destination address can be added to an allowlist with RBAC."}], "solutions": [{"lang": "en", "value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\n\nCVE-2023-24509 has been fixed in the following releases:\n\n4.28.4M and later releases in the 4.28.x train\n4.27.7M and later releases in the 4.27.x train\n4.26.9M and later releases in the 4.26.x train\n4.25.10M and later releases in the 4.25.x train\n4.24.11M and later releases in the 4.24.x train"}, {"lang": "en", "value": "The following hotfix can be applied to remediate CVE-2023-24509. The hotfix only applies to the releases listed below and no other releases. All other versions require upgrading to a release containing the fix (as listed above).: \n\n4.28.3M and below releases in the 4.28.x train\n4.27.6M and below releases in the 4.27.x train\n4.26.8M and below releases in the 4.26.x train\n4.25.9M and below releases in the 4.25.x train\n4.24.10M\n4.23.13M\nNote: Installing/uninstalling the SWIX will cause ConfigAgent to restart and disconnect existing CLI sessions.\n\nVersion: 1.0\n\nURL: SecurityAdvisory82_CVE-2023-24509_Hotfix.swix\n\nSWIX hash:\n\n(SHA-512)7833ab99e11cfea1ec28c09aedffd062cfc865a20a843ee6184caff1081e748c8a02590644d0c7b0e377027379cbaadc8b1a70d1c37097bf98c1bedb429dca56"}], "x_ConverterErrors": {"TITLE": {"error": "TITLE too long. Truncating in v5 record.", "message": "Truncated!"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:56:04.282Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/16985-security-advisory-0082", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-07T15:42:03.820627Z", "id": "CVE-2023-24509", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-07T15:42:09.265Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/16985-security-advisory-0082", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:56:04.282Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-24509", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-07T15:42:03.820627Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-07T15:41:26.044Z"}}], "cna": {"title": "On affected modular platforms running Arista EOS equipped with both redundant supervisor modules and having the redundancy protocol configured with RPR or SSO, an existing unprivileged user can login to the standby supervisor as a root user, leading t ...", "source": {"defect": ["723401"], "advisory": "82", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "Arista would like to acknowledge and thank Marc-Andr\u00e9 Labont\u00e9, Senior Information Security Analyst at Desjardins for responsibly reporting CVE-2023-24509."}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "LOCAL", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Arista Networks", "product": "Arista EOS", "versions": [{"status": "affected", "version": "4.23.0 4.23.13M"}, {"status": "affected", "version": "4.28.0", "versionType": "custom", "lessThanOrEqual": "4.28.3M"}, {"status": "affected", "version": "4.27.0", "versionType": "custom", "lessThanOrEqual": "4.27.6M"}, {"status": "affected", "version": "4.286.0", "versionType": "custom", "lessThanOrEqual": "4.26.8M"}, {"status": "affected", "version": "4.25.0", "versionType": "custom", "lessThanOrEqual": "4.25.9M"}, {"status": "affected", "version": "4.24.0", "versionType": "custom", "lessThanOrEqual": "4.24.10M"}]}], "solutions": [{"lang": "en", "value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\n\nCVE-2023-24509 has been fixed in the following releases:\n\n4.28.4M and later releases in the 4.28.x train\n4.27.7M and later releases in the 4.27.x train\n4.26.9M and later releases in the 4.26.x train\n4.25.10M and later releases in the 4.25.x train\n4.24.11M and later releases in the 4.24.x train"}, {"lang": "en", "value": "The following hotfix can be applied to remediate CVE-2023-24509. The hotfix only applies to the releases listed below and no other releases. All other versions require upgrading to a release containing the fix (as listed above).: \n\n4.28.3M and below releases in the 4.28.x train\n4.27.6M and below releases in the 4.27.x train\n4.26.8M and below releases in the 4.26.x train\n4.25.9M and below releases in the 4.25.x train\n4.24.10M\n4.23.13M\nNote: Installing/uninstalling the SWIX will cause ConfigAgent to restart and disconnect existing CLI sessions.\n\nVersion: 1.0\n\nURL: SecurityAdvisory82_CVE-2023-24509_Hotfix.swix\n\nSWIX hash:\n\n(SHA-512)7833ab99e11cfea1ec28c09aedffd062cfc865a20a843ee6184caff1081e748c8a02590644d0c7b0e377027379cbaadc8b1a70d1c37097bf98c1bedb429dca56"}], "datePublic": "2023-02-14T00:00:00.000Z", "references": [{"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/16985-security-advisory-0082"}], "workarounds": [{"lang": "en", "value": "The workaround is to disable \u201cssh\u201d CLI command in unprivileged mode on the SSH client devices by using command authorization. This can be done with Role-Based Access Control (RBAC).\n\nIf the \u201cssh\u201d CLI command is currently used to connect to a remote host, the destination address can be added to an allowlist with RBAC."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "On affected modular platforms running Arista EOS equipped with both redundant supervisor modules and having the redundancy protocol configured with RPR or SSO, an existing unprivileged user can login to the standby supervisor as a root user, leading to a privilege escalation. Valid user credentials are required in order to exploit this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "configurations": [{"lang": "en", "value": "In order to be vulnerable to CVE-2023-24509, the following conditions must be met:\n\nTwo supervisor modules must both be inserted and active. To determine the status of the supervisor modules,\n\nswitch#show module \nModule Ports Card Type Model Serial No.\n------- ----- ------------------------ ---------------- -----------\n1 3 DCS-7500-SUP2 Supervisor DCS-7500-SUP2 SSJ17133450\n2 2 Standby supervisor DCS-7500-SUP2 SSJ17133441\n \nModule Status Uptime Power off reason\n------- ------- ------- ----------------\n1 Active 0:24:58 N/A\n2 Standby 0:24:58 N/A\nSupervisor redundancy protocol must be configured with RPR(Route Processor Redundancy) or SSO (Stateful Switchover) on the switch. To determine the state and the current redundancy protocol of both supervisors on the switch,\n\nswitch#show redundancy status\n my state = ACTIVE\npeer state = STANDBY WARM\n Unit = Primary\n Unit ID = 1\n \nRedundancy Protocol (Operational) = Route Processor Redundancy\nRedundancy Protocol (Configured) = Route Processor Redundancy\nCommunications = Up\nReady for switchover\n \n Last switchover time = 7:23:56 ago\nLast switchover reason = Supervisor has control of the active supervisor lock"}], "providerMetadata": {"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7", "shortName": "Arista", "dateUpdated": "2023-04-13T00:00:00.000Z"}, "x_ConverterErrors": {"TITLE": {"error": "TITLE too long. Truncating in v5 record.", "message": "Truncated!"}}}}, "cveMetadata": {"cveId": "CVE-2023-24509", "state": "PUBLISHED", "dateUpdated": "2025-02-07T15:42:09.265Z", "dateReserved": "2023-01-24T00:00:00.000Z", "assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7", "datePublished": "2023-04-13T00:00:00.000Z", "assignerShortName": "Arista"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:arista:eos:*:*:*:*:*:*:*:*", "matchCriteriaId": "498704F8-24D4-48C9-A5CB-4A8F7054AA49", "versionEndIncluding": "4.23.13m", "versionStartIncluding": "4.23", "vulnerable": true}, {"criteria": "cpe:2.3:o:arista:eos:*:*:*:*:*:*:*:*", "matchCriteriaId": "8923F137-B1BA-49FF-A100-AD357966EE4F", "versionEndExcluding": "4.24.11m", "versionStartIncluding": "4.24.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:arista:eos:*:*:*:*:*:*:*:*", "matchCriteriaId": "4D6EA8CE-BAA4-4B4D-8A9F-A65018FC6B3A", "versionEndExcluding": "4.25.10m", "versionStartIncluding": "4.25.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:arista:eos:*:*:*:*:*:*:*:*", "matchCriteriaId": "659190E5-DFB0-4172-BD6F-1B9E22533CE5", "versionEndExcluding": "4.26.9m", "versionStartIncluding": "4.26.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:arista:eos:*:*:*:*:*:*:*:*", "matchCriteriaId": "20966F67-1C70-458C-A4EF-02612345DE48", "versionEndExcluding": "4.27.7m", "versionStartIncluding": "4.27.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:arista:eos:*:*:*:*:*:*:*:*", "matchCriteriaId": "1F57FAA3-518C-498C-9580-19A207C8F176", "versionEndExcluding": "4.28.4m", "versionStartIncluding": "4.28.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:arista:704x3:-:*:*:*:*:*:*:*", "matchCriteriaId": "D7C0C33F-72A7-41CA-A666-1CEC9F0FE02F", "vulnerable": false}, {"criteria": "cpe:2.3:h:arista:7304x:-:*:*:*:*:*:*:*", "matchCriteriaId": "65C6E0C9-7F81-4CE3-BD46-7939667E5969", "vulnerable": false}, {"criteria": "cpe:2.3:h:arista:7304x3:-:*:*:*:*:*:*:*", "matchCriteriaId": "78FE473B-CA6E-4E8D-8DBF-676B1ECBB185", "vulnerable": false}, {"criteria": "cpe:2.3:h:arista:7308x:-:*:*:*:*:*:*:*", "matchCriteriaId": "B7A8ABF1-ADF4-474D-B01B-8BB271E1263E", "vulnerable": false}, {"criteria": "cpe:2.3:h:arista:7316x:-:*:*:*:*:*:*:*", "matchCriteriaId": "73ECE6D6-12E5-4396-9C19-3B2E08E13147", "vulnerable": false}, {"criteria": "cpe:2.3:h:arista:7324x:-:*:*:*:*:*:*:*", "matchCriteriaId": "B8862F74-E399-41EE-A081-62D99A7C1755", "vulnerable": false}, {"criteria": "cpe:2.3:h:arista:7328x:-:*:*:*:*:*:*:*", "matchCriteriaId": "8F16261D-639F-4CAB-BDA6-EF3F277E663C", "vulnerable": false}, {"criteria": "cpe:2.3:h:arista:7504r:-:*:*:*:*:*:*:*", "matchCriteriaId": "CD1F369D-93BF-4259-99F5-97FBEF79BBA5", "vulnerable": false}, {"criteria": "cpe:2.3:h:arista:7504r3:-:*:*:*:*:*:*:*", "matchCriteriaId": "8387CCEA-F00C-4F1F-B966-ACF8B16F1D22", "vulnerable": false}, {"criteria": "cpe:2.3:h:arista:7508r:-:*:*:*:*:*:*:*", "matchCriteriaId": "F35978B6-889C-47DB-971B-B2A12FF537E0", "vulnerable": false}, {"criteria": "cpe:2.3:h:arista:7508r3:-:*:*:*:*:*:*:*", "matchCriteriaId": "55AE2A1C-A4FD-423B-A77E-2E24C2310A6A", "vulnerable": false}, {"criteria": "cpe:2.3:h:arista:7512r:-:*:*:*:*:*:*:*", "matchCriteriaId": "2360E039-5F12-4210-8578-7EBDA4575A6E", "vulnerable": false}, {"criteria": "cpe:2.3:h:arista:7512r3:-:*:*:*:*:*:*:*", "matchCriteriaId": "C4B0D708-B426-4CA1-BE87-08BD14B7EACE", "vulnerable": false}, {"criteria": "cpe:2.3:h:arista:7516r:-:*:*:*:*:*:*:*", "matchCriteriaId": "3D45E5E5-7EB9-41E7-8EEE-570E6646EDDD", "vulnerable": false}, {"criteria": "cpe:2.3:h:arista:755x:-:*:*:*:*:*:*:*", "matchCriteriaId": "585E3617-2B1F-4E58-853A-0E9703B91B80", "vulnerable": false}, {"criteria": "cpe:2.3:h:arista:758x:-:*:*:*:*:*:*:*", "matchCriteriaId": "13B1D90C-73CC-49A2-B202-B07D96226729", "vulnerable": false}, {"criteria": "cpe:2.3:h:arista:7804r3:-:*:*:*:*:*:*:*", "matchCriteriaId": "A54F3D32-5A07-4791-90BF-96BD8A24C2F6", "vulnerable": false}, {"criteria": "cpe:2.3:h:arista:7808r3:-:*:*:*:*:*:*:*", "matchCriteriaId": "2F078B04-2DA0-4A4B-BB1A-408DC14CB61F", "vulnerable": false}, {"criteria": "cpe:2.3:h:arista:7812r3:-:*:*:*:*:*:*:*", "matchCriteriaId": "E9B99200-EC76-404E-9900-5D1DC3B9A758", "vulnerable": false}, {"criteria": "cpe:2.3:h:arista:7816r3:-:*:*:*:*:*:*:*", "matchCriteriaId": "5A172A49-1A0E-464B-BDDD-A8F52856D595", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "On affected modular platforms running Arista EOS equipped with both redundant supervisor modules and having the redundancy protocol configured with RPR or SSO, an existing unprivileged user can login to the standby supervisor as a root user, leading to a privilege escalation. Valid user credentials are required in order to exploit this vulnerability."}], "id": "CVE-2023-24509", "lastModified": "2024-11-21T07:48:00.993", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 6.0, "source": "psirt@arista.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-04-13T20:15:08.843", "references": [{"source": "psirt@arista.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/16985-security-advisory-0082"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/16985-security-advisory-0082"}], "sourceIdentifier": "psirt@arista.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "psirt@arista.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}