Arista NG 防火墙 custom_handler 目录遍历远程代码执行漏洞

攻击者可以利用此漏洞在 Arista NG Firewall 设备上执行任意代码，从而完全控制设备。这可能导致数据泄露、系统破坏、恶意软件部署以及进一步的网络攻击。由于该漏洞不需要身份验证，攻击者可以轻松地利用它，造成严重的后果。该漏洞的利用方式类似于其他目录遍历漏洞，攻击者可以构造恶意请求来访问或修改系统文件，从而执行任意命令。

Organizations utilizing Arista NG Firewall in environments with exposed management interfaces are at significant risk. Specifically, deployments with default configurations or those lacking robust network segmentation are particularly vulnerable. Shared hosting environments where multiple tenants share the same firewall instance also face increased risk.

• linux / server: Monitor firewall logs for requests to the /custom_handler endpoint with unusual or potentially malicious file paths. Use journalctl to filter for relevant events.

journalctl -u arista-ngfw -f | grep 'custom_handler'

• generic web: Use curl to test the /custom_handler endpoint with various path traversal payloads (e.g., ../etc/passwd).

curl 'http://<firewall_ip>/custom_handler?file=../../../../etc/passwd'

• generic web: Check access logs for requests containing suspicious characters or patterns indicative of directory traversal attempts.

1. 2024-12-20Disclosure

   disclosure

1. 已保留2024-12-19
2. 发布日期2024-12-20
3. EPSS 更新日期2026-04-02

目前，Arista 尚未发布官方修复版本。作为临时缓解措施，建议禁用 customhandler 功能，或配置防火墙规则以限制对该功能的访问。此外，可以考虑使用 Web 应用防火墙 (WAF) 来检测和阻止恶意请求。密切监控系统日志，查找任何异常活动，并及时采取措施。在升级修复版本后，请验证 customhandler 功能是否已正确禁用或配置，以确保漏洞已得到有效修复。