CVE-2023-24509

Solution:

• The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. CVE-2023-24509 has been fixed in the following releases: 4.28.4M and later releases in the 4.28.x train 4.27.7M and later releases in the 4.27.x train 4.26.9M and later releases in the 4.26.x train 4.25.10M and later releases in the 4.25.x train 4.24.11M and later releases in the 4.24.x train
• The following hotfix can be applied to remediate CVE-2023-24509. The hotfix only applies to the releases listed below and no other releases. All other versions require upgrading to a release containing the fix (as listed above).: 4.28.3M and below releases in the 4.28.x train 4.27.6M and below releases in the 4.27.x train 4.26.8M and below releases in the 4.26.x train 4.25.9M and below releases in the 4.25.x train 4.24.10M 4.23.13M Note: Installing/uninstalling the SWIX will cause ConfigAgent to restart and disconnect existing CLI sessions. Version: 1.0 URL: SecurityAdvisory82_CVE-2023-24509_Hotfix.swix SWIX hash: (SHA-512)7833ab99e11cfea1ec28c09aedffd062cfc865a20a843ee6184caff1081e748c8a02590644d0c7b0e377027379cbaadc8b1a70d1c37097bf98c1bedb429dca56

Workaround:

• The workaround is to disable “ssh” CLI command in unprivileged mode on the SSH client devices by using command authorization. This can be done with Role-Based Access Control (RBAC). If the “ssh” CLI command is currently used to connect to a remote host, the destination address can be added to an allowlist with RBAC.