CVE-2023-24511

Solution:

• The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Artista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see Eos User Manual: Upgrades and Downgrades CVE-2023-24511 has been fixed in the following releases: 4.29.2F and later releases in the 4.29.x train 4.28.6M and later releases in the 4.28.x train 4.27.9M and later releases in the 4.27.x train 4.26.10M and later releases in the 4.26.x train
• The following hotfix can be applied to remediate CVE-2023-24511. The hotfix only applies to the releases listed below and no other releases. All other versions require upgrading to a release containing the fix (as listed above).: 4.29.1F and below releases in the 4.29.x train 4.28.5.1M and below releases in the 4.28.x train 4.27.8.1M and below releases in the 4.27.x train 4.26.9M and below releases in the 4.26.x train Note: Installing/uninstalling the SWIX will cause the snmpd process to restart Version: 1.0 URL:SecurityAdvisory84_CVE-2023-24511_Hotfix.swix SWIX hash:SecurityAdvisory84_CVE-2023-24511_Hotfix.swix (SHA-512)da2bc1fd2c7fc718e3c72c7ce83dc1caa05150cbe2f081c8cc3ed40ce787f7e24dff5202e621ef5f2af89f72afd25f7476d02f722ffe8e8c7d24c101cbbfe0e5

Workaround:

• If you suspect you are encountering this issue due to malicious activity, the workaround is to enable SNMP service ACLs to only allow specific IP addresses to query SNMP (combined with anti-spoofing ACLs in the rest of the network). snmp-server ipv4 access-list allowHosts4 snmp-server ipv6 access-list allowHosts6 ! ipv6 access-list allowHosts6 10 permit ipv6 host any ! ip access-list allowHosts4 10 permit ip host any