Platform
other
Component
arista-ng-firewall
Fixed in
17.1.2
CVE-2024-12830 describes a Remote Code Execution (RCE) vulnerability affecting Arista NG Firewall versions 17.1.1–17.1.1. This vulnerability allows an attacker to execute arbitrary code on the system without authentication. The flaw resides in the implementation of the custom_handler method, stemming from insufficient validation of user-supplied file paths. A fix is available from Arista.
Successful exploitation of CVE-2024-12830 allows an attacker to gain complete control over the affected Arista NG Firewall. This includes the ability to modify system configurations, steal sensitive data, and potentially pivot to other systems within the network. Given the lack of authentication required, the vulnerability presents a significant risk, particularly in environments with exposed management interfaces. The attacker executes code as the www-data user, which may have elevated privileges depending on the firewall’s configuration. This vulnerability shares similarities with other directory traversal vulnerabilities where improper path sanitization leads to arbitrary code execution.
CVE-2024-12830 was disclosed on December 20, 2024. It is tracked by ZDI-CAN-24019. The vulnerability's ease of exploitation (no authentication required) and potential impact suggest a medium probability of exploitation. Public proof-of-concept code is not yet widely available, but the vulnerability's nature makes it likely that such code will emerge. Monitor CISA and Arista advisories for updates.
Exploit Status
EPSS
3.10% (87% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-12830 is to upgrade to a patched version of Arista NG Firewall as soon as possible. Until an upgrade is feasible, consider implementing strict network segmentation to limit external access to the firewall’s management interface. Web Application Firewall (WAF) rules can be configured to block requests containing suspicious file paths or directory traversal sequences. Monitor firewall logs for unusual activity, particularly requests targeting the customhandler endpoint. After upgrading, verify the fix by attempting to access the customhandler endpoint with a crafted path designed to trigger the vulnerability; it should be rejected.
Actualizar Arista NG Firewall a una versión posterior a la 17.1.1 que corrija la vulnerabilidad de directory traversal en el método custom_handler. Consultar el sitio web del proveedor para obtener la última versión y las instrucciones de actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-12830 is a Remote Code Execution vulnerability in Arista NG Firewall versions 17.1.1–17.1.1, allowing attackers to execute code without authentication due to a flaw in the custom_handler method.
If you are running Arista NG Firewall version 17.1.1–17.1.1, you are potentially affected by this vulnerability. Check your firewall version and apply the recommended patch.
Upgrade to a patched version of Arista NG Firewall as soon as possible. Consult the official Arista advisory for specific upgrade instructions.
While no active exploitation has been publicly confirmed, the vulnerability's ease of exploitation suggests a potential for exploitation. Monitor security advisories and implement mitigations proactively.
Refer to the official Arista Networks security advisory for detailed information and mitigation steps: [https://www.arista.com/en/support/security/advisories/cve-2024-12830](https://www.arista.com/en/support/security/advisories/cve-2024-12830)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.