CVE-2023-24509

Published: Apr 13, 2023Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

On affected modular platforms running Arista EOS equipped with both redundant supervisor modules and having the redundancy protocol configured with RPR or SSO, an existing unprivileged user can login to the standby supervisor as a root user, leading to a privilege escalation. Valid user credentials are required in order to exploit this vulnerability.

Affected (6)

Products: Arista: Eos

Arista

1 product

Eos

Configuration A

6 vulnerable · 20 platform

Vulnerable Software	Affected Versions
Arista Eos	From 4.23 to 4.23.13m
Arista Eos	From 4.24.0 to 4.24.11m
Arista Eos	From 4.25.0 to 4.25.10m
Arista Eos	From 4.26.0 to 4.26.9m
Arista Eos	From 4.27.0 to 4.27.7m
Arista Eos	From 4.28.0 to 4.28.4m

Running on/with	Platform Versions
Arista 704x3	All versions
Arista 7304x	All versions
Arista 7304x3	All versions
Arista 7308x	All versions
Arista 7316x	All versions
Arista 7324x	All versions
Arista 7328x	All versions
Arista 7504r	All versions
Arista 7504r3	All versions
Arista 7508r	All versions
Arista 7508r3	All versions
Arista 7512r	All versions
Arista 7512r3	All versions
Arista 7516r	All versions
Arista 755x	All versions
Arista 758x	All versions
Arista 7804r3	All versions
Arista 7808r3	All versions
Arista 7812r3	All versions
Arista 7816r3	All versions

Related CWEs

CWE-269

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (2)

https://www.arista.com/en/support/advisories-notices/security-advisory/16985-security-advisory-0082

Source: psirt@arista.com

ExploitMitigationVendor Advisory

https://www.arista.com/en/support/advisories-notices/security-advisory/16985-security-advisory-0082

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMitigationVendor Advisory

Timeline

No history available yet.