CVE-2024-7142

Solution:

• The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see CloudVision Appliance 350E-CV - Arista https://www.arista.com/en/qsg-cva-350e-cv .   CVE-2024-7142 has been fixed in the following releases: * CVA 6.0.7 If the user runs the cva disk encryption enable command in the aforementioned releases containing the fix, the disks will be properly encrypted. In addition, the upgrade from a vulnerable CVA version to the versions mentioned above will fix the issue automatically. * If the key/password pair is found during the upgrade, the upgrade process will encrypt the disks properly. Just to be clear, if this upgrade process does not notice the corresponding key/password pair on the system, it will preserve the original intent of the user and will not encrypt the disks.  * If the user no longer wants to encrypt the disks even though they previously ran cva disk encryption enable command on a vulnerable release, cva disk encryption disable command must be run before the upgrade. This disable option will not be available on the new releases

Workaround:

• To manually fix the issue on a vulnerable system determined by following the steps depicted in the Determining a vulnerable device https://www.arista.com/en/support/advisories-notices/security-advisory/20405-security-advisory-0104#pageLink-2  section, run the following commands to enable the encryption of the virtual disks. The FQDD of the RAID controller(s) and virtual disks will be needed for this mitigation. See the Preliminary steps https://www.arista.com/en/support/advisories-notices/security-advisory/20405-security-advisory-0104#pageLink-3  section on how to retrieve them. Note as the security key was set before on this vulnerable system, it is not needed to set it again here. Please see the Caveats https://www.arista.com/en/support/advisories-notices/security-advisory/20405-security-advisory-0104#pageLink-4  section for more information. Generally, the overall process takes up to 10 minutes. The performance of a running system is not expected to degrade when the following steps are carried out. * Encrypt all virtual disks that belong to the RAID controller by running the following command for each of them: racadm storage encryptvd:   * Create the job for the RAID controller and monitor its progress: racadm jobqueue create --realtime   This command must return the scheduled configuration job ID in its output. Look for Commit JID = JID_xxxxx in the output. Then check the status of this job with racadm jobqueue view -i . It will take up to 10 minutes to complete.  * After the job is complete, run the following command to see if all the virtual disks are encrypted. racadm storage get vdisks --refkey -o The output should show Secured = YES against each one of them. The following is an example of the aforementioned steps. [root@cv ~]# racadm storage encryptvd:Disk.Virtual.238:RAID.SL.3-1 STOR094 : The storage configuration operation is successfully completed and the change is in pending state. <--snip—-> [root@cv ~]# racadm jobqueue create RAID.SL.3-1 --realtime RAC1024: Successfully scheduled a job. Verify the job status using "racadm jobqueue view -i JID_xxxxx" command. Commit JID = JID_218438865303 [root@cv ~]# racadm jobqueue view -i JID_218438865303 ---------------------------- JOB ------------------------- [Job ID=JID_218438865303] Job Name=Configure: RAID.SL.3-1 Status=Running <--snip—-> Percent Complete=[1] [root@cv ~]# racadm jobqueue view -i JID_218438865303 ---------------------------- JOB ------------------------- [Job ID=JID_218438865303] Job Name=Configure: RAID.SL.3-1 Status=Completed <--snip—-> Percent Complete=[100] [root@cv ~]# racadm storage get vdisks --refkey RAID.SL.3-1 -o Disk.Virtual.238:RAID.SL.3-1    Status                               = Ok    DeviceDescription                   = Virtual Disk 238 on RAID Controller in SL 3    Name                                 = os <--snip—->    Secured                             = YES <--snip—->     Disk.Virtual.239:RAID.SL.3-1    Status                               = Ok    DeviceDescription                   = Virtual Disk 239 on RAID Controller in SL 3    Name                                 = data <--snip—->    Secured                             = YES <--snip—->