Vulnerability Details : CVE-2023-24512
On affected platforms running Arista EOS, an authorized attacker with permissions to perform gNMI requests could craft a request allowing it to update arbitrary configurations in the switch. This situation occurs only when the Streaming Telemetry Agent (referred to as the TerminAttr agent) is enabled and gNMI access is configured on the agent. Note: This gNMI over the Streaming Telemetry Agent scenario is mostly commonly used when streaming to a 3rd party system and is not used by default when streaming to CloudVision
Vulnerability category: BypassGain privilege
Products affected by CVE-2023-24512
- cpe:2.3:o:arista:eos:*:*:*:*:*:*:*:*
- cpe:2.3:o:arista:eos:*:*:*:*:*:*:*:*
- cpe:2.3:o:arista:eos:*:*:*:*:*:*:*:*
- cpe:2.3:o:arista:eos:*:*:*:*:*:*:*:*
- cpe:2.3:a:arista:cloudeos:-:*:*:*:*:*:*:*
- cpe:2.3:a:arista:ceos-lab:*:*:*:*:*:*:*:*
- cpe:2.3:a:arista:veos-lab:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-24512
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 26 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-24512
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
Arista Networks, Inc. |
CWE ids for CVE-2023-24512
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: psirt@arista.com (Secondary)
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-24512
-
https://www.arista.com/en/support/advisories-notices/security-advisory/17250-security-advisory-0086
Security Advisory 0086 - AristaExploit;Mitigation;Vendor Advisory
Jump to