On affected modular platforms running Arista EOS equipped with both redundant supervisor modules and having the redundancy protocol configured with RPR or SSO, an existing unprivileged user can login to the standby supervisor as a root user, leading t ...
CVE-2023-24509

9.3CRITICAL

Key Information:

Vendor: Arista Networks
Status: Arista Eos
Vendor: CVE Published:; 13 April 2023

🔔 Create Arista Networks Vulnerability Alert

What is CVE-2023-24509?

A privilege escalation vulnerability exists in modular platforms running Arista EOS when equipped with redundant supervisor modules configured with RPR or SSO. An attacker with valid unprivileged user credentials can exploit this flaw to log into the standby supervisor as a root user, granting them elevated privileges. This may enable unauthorized access to sensitive system functions and resources, enhancing the potential for further exploitation.

Affected Version(s)

Arista EOS 4.23.0 4.23.13M

Arista EOS 4.28.0 <= 4.28.3M

Arista EOS 4.27.0 <= 4.27.6M

References

https://www.arista.com/en/support/advisories-notices/secu...

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 13, 2023
Vulnerability Reserved
Jan 24, 2023

Credit

Arista would like to acknowledge and thank Marc-André Labonté, Senior Information Security Analyst at Desjardins for responsibly reporting CVE-2023-24509.

JSON