CVE-2024-6437

On affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy -- certain IP traffic such as IPv4 packets with IP options ma

Description

On affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy -- certain IP traffic such as IPv4 packets with IP options may bypass the feature's set nexthop action and be slow-path forwarded (FIB routed) by the kernel as the packets are trapped to the CPU instead of following the redirect action's destination.

Remediation

Solution:

  • The recommended resolution is to upgrade to a remediated software version that contains the ip software forwarding options action drop CLI command, and configure the command at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades CVE-2024-6437 has been fixed in the following releases: * 4.32.2F and later releases in the 4.32.x train * 4.31.5M and later releases in the 4.31.x train * 4.30.8M and later releases in the 4.30.x train * 4.29.10M and later releases in the 4.29.x train

Workaround:

  • For all affected systems, the suggested mitigation for all three affected features is to drop all IPv4 options traffic via the ip software forwarding options action drop, available in 4.32.2F and later releases in the 4.32 train, 4.31.5M and later releases in the 4.31 train, and 4.30.8M and later releases in the 4.30 train. The command installs an iptables rule that drops all IPv4 options traffic in the filter table of the FORWARD chain. switch(config)#ip software forwarding options action drop # Below is shown to illustrate what the rule does. This is not a command that needs to be run. switch(config)#bash sudo iptables -vnL EOS_FORWARD Chain EOS_FORWARD (1 references)  pkts bytes target     prot opt in     out     source               destination     0     0 DROP       all -- *     *       0.0.0.0/0           0.0.0.0/0           u32 ! "0x0>>0x18=0x45"     0     0 REJECT     all -- *     fwd+   0.0.0.0/0           0.0.0.0/0           u32 ! "0x0>>0x18=0x45" reject-with icmp-admin-prohibited     0     0 DROP       all -- *     ma+     0.0.0.0/0           0.0.0.0/0     0     0 ACCEPT     all -- *     *     !127.0.0.0/8         !127.0.0.0/8   Additionally, in 7280R3, 7500R3, and 7800R3 systems, the system-rule overriding-action redirect command (present in EOS-4.28.0F and newer releases) can be used to allow for all of the affected features' set nexthop action to take precedence over the system ACL's trap action to CPU. See TCAM redirect action overriding system rules - TOI https://www.arista.com/en/support/toi/eos-4-28-0f/15280-tcam-redirect-action-overriding-system-rules  for more information.
5.8
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.06%
Affected: Arista Networks EOS-Policy Based Routing (PBR)
Affected: Arista Networks EOS - BGP Flowspec
Affected: Arista Networks EOS - Interface Traffic Policy
Published at:
Updated at:

References

Link Tags
https://www.arista.com/en/support/advisories-notices/security-advisory/20689-security-advisory-0108

Frequently Asked Questions

What is the severity of CVE-2024-6437?
CVE-2024-6437 has been scored as a medium severity vulnerability.
How to fix CVE-2024-6437?
To fix CVE-2024-6437: The recommended resolution is to upgrade to a remediated software version that contains the ip software forwarding options action drop CLI command, and configure the command at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades CVE-2024-6437 has been fixed in the following releases: * 4.32.2F and later releases in the 4.32.x train * 4.31.5M and later releases in the 4.31.x train * 4.30.8M and later releases in the 4.30.x train * 4.29.10M and later releases in the 4.29.x train
Is CVE-2024-6437 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-6437 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-6437?
CVE-2024-6437 affects Arista Networks EOS-Policy Based Routing (PBR), Arista Networks EOS - BGP Flowspec, Arista Networks EOS - Interface Traffic Policy.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.