Plattform
other
Komponente
arista-ng-firewall
Behoben in
17.1.2
CVE-2024-12830 describes a Remote Code Execution (RCE) vulnerability affecting Arista NG Firewall versions 17.1.1–17.1.1. This vulnerability allows an attacker to execute arbitrary code on the system without authentication. The flaw resides in the implementation of the custom_handler method, stemming from insufficient validation of user-supplied file paths. A fix is available from Arista.
Successful exploitation of CVE-2024-12830 allows an attacker to execute arbitrary code on the affected Arista NG Firewall system. Given the lack of authentication required, this vulnerability is particularly concerning. An attacker could potentially gain full control of the firewall, leading to data breaches, system compromise, and disruption of network services. The code executes in the context of the www-data user, which may have elevated privileges depending on the firewall's configuration. This vulnerability shares similarities with other directory traversal vulnerabilities where attackers leverage flawed path handling to access or modify sensitive files.
CVE-2024-12830 was disclosed on December 20, 2024. It is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the ease of exploitation due to the lack of authentication suggests a potential for rapid exploitation once a PoC is released. The vulnerability was reported to Arista as ZDI-CAN-24019.
Organizations utilizing Arista NG Firewall in environments with exposed management interfaces are at significant risk. Specifically, deployments with default configurations or those lacking robust network segmentation are particularly vulnerable. Shared hosting environments where multiple tenants share the same firewall instance also face increased risk.
• linux / server: Monitor firewall logs for requests to the /custom_handler endpoint with unusual or potentially malicious file paths. Use journalctl to filter for relevant events.
journalctl -u arista-ngfw -f | grep 'custom_handler'• generic web: Use curl to test the /custom_handler endpoint with various path traversal payloads (e.g., ../etc/passwd).
curl 'http://<firewall_ip>/custom_handler?file=../../../../etc/passwd'• generic web: Check access logs for requests containing suspicious characters or patterns indicative of directory traversal attempts.
disclosure
Exploit-Status
EPSS
3.10% (87% Perzentil)
CISA SSVC
CVSS-Vektor
While a patch is pending, several mitigation steps can be taken to reduce the risk. Implement a Web Application Firewall (WAF) with rules to block requests containing suspicious path traversal sequences (e.g., '../'). Restrict access to the custom_handler endpoint using network segmentation and access control lists (ACLs). Regularly review and harden the firewall's configuration to minimize the privileges of the www-data user. Monitor system logs for unusual activity or attempts to access restricted files. After a patch is released, upgrade to the fixed version and verify the fix by attempting to trigger the vulnerability with a known malicious payload; the request should be blocked by the firewall.
Actualizar Arista NG Firewall a una versión posterior a la 17.1.1 que corrija la vulnerabilidad de directory traversal en el método custom_handler. Consultar el sitio web del proveedor para obtener la última versión y las instrucciones de actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-12830 is a Remote Code Execution vulnerability in Arista NG Firewall versions 17.1.1–17.1.1, allowing attackers to execute code without authentication due to a flaw in the custom_handler method.
If you are running Arista NG Firewall version 17.1.1–17.1.1, you are potentially affected by this vulnerability. Check your firewall version and apply the recommended patch.
Upgrade to a patched version of Arista NG Firewall as soon as possible. Consult the official Arista advisory for specific upgrade instructions.
While no active exploitation has been publicly confirmed, the vulnerability's ease of exploitation suggests a potential for exploitation. Monitor security advisories and implement mitigations proactively.
Refer to the official Arista Networks security advisory for detailed information and mitigation steps: [https://www.arista.com/en/support/security/advisories/cve-2024-12830](https://www.arista.com/en/support/security/advisories/cve-2024-12830)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.