Vulnerabilities > CVE-2016-6894 - Resource Management Errors vulnerability in Arista products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
arista
CWE-399
nessus

Summary

Arista EOS 4.15 before 4.15.8M, 4.16 before 4.16.7M, and 4.17 before 4.17.0F on DCS-7050 series devices allow remote attackers to cause a denial of service (device reboot) by sending crafted packets to the control plane.

Common Weakness Enumeration (CWE)

Nessus

NASL familyMisc.
NASL idARISTA_EOS_SA0025.NASL
descriptionThe version of Arista Networks EOS running on the remote device is affected by a denial of service vulnerability due to an unspecified flaw when handling certain packets sent to the control plane. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause the device to reboot.
last seen2020-03-17
modified2018-02-28
plugin id107068
published2018-02-28
reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/107068
titleArista Networks EOS Control Plane Packet Handling DoS (SA0025)
code
#TRUSTED 54c04b6fa5fedc9ac0f523b8cfd0105671365c1548ab6b97df1129216b7aedfcbcf7374f97847a1760eb7ff095133ac68daf61e585ca1a6e5e6502acc9e2eb1aad139618047dfe4ea46566c402507194f4a3ef2cc5b524ec0c172b08efaee75740fbfc1112ef118692e1e7ccbd226069796cf938700affe408b159f72dc586cf0c1864d30fa3f64f6e46d10087ffc238a99a4dfc02676e741c899e4c582528387bc2b070ca011f885b633992c040de9c4bd5cdf4b3961014112d33e1a0a5dd31680dcdae7fe09574e23fcd7301034ba3946148d7c63d42be1f14fe28d12fa404aeb53cf6280fa60877f2f9be4c667f00db44616608f28a643b97030840e6fd35ada82e73b065fed315599ee706172d44f16323dffb24c73b95c6018ed363b6fa9159d4224e912042247b1c0983a4c6f660e34c4d555a12f6b8382f7897f7e303f243edc6957ea76ce7f70ca3f5d203eb7fb5b51b6d0fc9bfe62f72b59ce70037584f27c1bac06bea2ed66073ffb60a1e2ea7fc0693eeac468f5135f4dea12aa199e1552fb387fa76c53234c3241f760a5a4bae2e37920d09b7bd1e63bc2e8bc3d15434c97c7f09e6aabe96954de19ac0e2173cef838498ad579332f32d8a2721e55052568aa56af8737ab60764d986ffa45e74c377e5c7be027ec22bdb22ab29b4989adc188275660db859389197731fc76262eebc2328d56c3dad3596520c02
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(107068);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/13");

  script_cve_id("CVE-2016-6894");
  script_bugtraq_id(95267);

  script_name(english:"Arista Networks EOS Control Plane Packet Handling DoS (SA0025)");
  script_summary(english:"Checks the Arista Networks EOS version.");

  script_set_attribute(attribute:"synopsis", value:
"The version of Arista Networks EOS running on the remote device is
affected by a denial of service vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Arista Networks EOS running on the remote device is
affected by a denial of service vulnerability due to an unspecified
flaw when handling certain packets sent to the control plane. An
unauthenticated, remote attacker can exploit this, via a specially
crafted request, to cause the device to reboot.");
  # https://www.arista.com/en/support/advisories-notices/security-advisories/1752-security-advisory-25
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a1c1e1fe");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Arista Networks EOS version 4.15.8M / 4.16.7M / 4.17.0F or
later. Alternatively, apply the recommended patch referenced in the
vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6894");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/10/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/28");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:arista:eos");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("arista_eos_detect.nbin");
  script_require_keys("Host/Arista-EOS/Version", "Host/Arista-EOS/Model");

  exit(0);
}


include("arista_eos_func.inc");

version = get_kb_item_or_exit("Host/Arista-EOS/Version");
model = get_kb_item_or_exit("Host/Arista-EOS/Model");
# The extension rpm says SecurityAdvisory0023 but this is the hotfix for sa0025
ext = "2.7.0/3450908.idcaldwellSecurityAdvisory0023hotfix.2";
sha = "8e9031d81ebe85b01f854f005b222e0a87d969f21d58c85c351707161224dbacc855840f8c5b17289fcf0d2417f6350be67c9adf2f5fe2624a15fdeb522ec291";

if(model !~ "^DCS-7050[QST]") audit(AUDIT_DEVICE_NOT_VULN, "Arista Networks " + model);

if(eos_extension_installed(ext:ext, sha:sha)) exit(0, "The Arista device is not vulnerable, as a relevant hotfix has been installed.");

vmatrix = make_array();
vmatrix["all"] =  make_list("4.15.2<=4.15.7.99",
                            "4.16.0<=4.16.6.99");
vmatrix["fix"] =  "Install the vendor-supplied patch or upgrade to Arista EOS 4.15.8M / 4.16.7M / 4.17.0F or later.";

if (eos_is_affected(vmatrix:vmatrix, version:version))
{
  security_report_v4(severity:SECURITY_HOLE, port:0, extra:eos_report_get());
}
else audit(AUDIT_INST_VER_NOT_VULN, "Arista Networks EOS", version);