Skip to content

commands to str(commands for arista 2021 #175

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 23 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Empty file added CVEasy/Arista/2021/__init__.py
Empty file.
71 changes: 71 additions & 0 deletions CVEasy/Arista/2021/cve202128496.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
from comfy import high


@high(
name='rule_cve202128496',
platform=['arista_eos'],
commands=dict(
show_version='show version',
show_bfd='show running-config | section bfd',
show_eapi='show management api http-commands'
),
)
def rule_cve202128496(configuration, commands, device, devices):
"""
This rule checks for CVE-2021-28496 vulnerability in Arista EOS devices.
The vulnerability allows BFD shared secret passwords to be leaked when displaying output
over eAPI or other JSON outputs to authenticated users on the device.
"""
# Extract the version information from the command output
version_output = str(commands.show_version)

# List of vulnerable software versions
vulnerable_versions = [
# 4.22.x versions (all releases)
'4.22.0', '4.22.12',
# 4.23.x versions (up to 4.23.9)
'4.23.0', '4.23.9',
# 4.24.x versions (up to 4.24.7)
'4.24.0', '4.24.7',
# 4.25.x versions (up to 4.25.4)
'4.25.0', '4.25.4',
# 4.26.x versions (up to 4.26.1)
'4.26.0', '4.26.1'
]

# Check if the current device's software version is in the list of vulnerable versions
version_vulnerable = any(version in version_output for version in vulnerable_versions)

# If version is not vulnerable, no need to check further
if not version_vulnerable:
return

# Check if BFD is configured with shared secret profiles
bfd_config = str(commands.show_bfd)
has_bfd_secrets = 'profile' in bfd_config and 'key-id' in bfd_config

# Check if eAPI is enabled
eapi_config = str(commands.show_eapi)
eapi_enabled = 'enabled' in eapi_config.lower()

# Device is vulnerable if using BFD shared secrets and eAPI is enabled
is_vulnerable = has_bfd_secrets and eapi_enabled

# Assert that the device is not vulnerable
assert not is_vulnerable, (
f"Device {device.name} is vulnerable to CVE-2021-28496. "
"The device is running a vulnerable version AND has BFD shared secret profiles configured "
"with eAPI enabled, which could expose sensitive password information. "
"Recommended fixes:\n"
"1. Upgrade to one of the following fixed versions:\n"
" * 4.23.10 or later for 4.23.x train\n"
" * 4.24.8 or later for 4.24.x train\n"
" * 4.25.5 or later for 4.25.x train\n"
" * 4.26.2 or later for 4.26.x train\n"
"2. Or apply the appropriate hotfix:\n"
" * For 4.22.0 - 4.25.0: SecurityAdvisory0069Hotfix-4.22-4.25.0.swix\n"
" * For 4.25.1 - 4.26.1: SecurityAdvisory0069Hotfix-4.25.1-4.26.1.swix\n"
"3. As a workaround, restrict access to CLI show commands using role-based authorization\n"
"For more information, see"
"https://www.arista.com/en/support/advisories-notices/security-advisory/13243-security-advisory-0069"
)
78 changes: 78 additions & 0 deletions CVEasy/Arista/2021/cve202128500.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
from comfy import high


@high(
name='rule_cve202128500',
platform=['arista_eos'],
commands=dict(
show_version='show version',
show_users='show running-config | section username',
show_agents='show running-config | include openconfig|terminattr'
),
)
def rule_cve202128500(configuration, commands, device, devices):
"""
This rule checks for CVE-2021-28500 vulnerability in Arista EOS devices.
The vulnerability allows unrestricted access to the device for local users with nopassword
configuration due to incorrect use of EOS's AAA APIs by OpenConfig and TerminAttr agents.
"""
# Extract the version information from the command output
version_output = str(commands.show_version)

# List of vulnerable software versions
vulnerable_versions = [
# 4.20.x and earlier versions
'4.20.0', '4.20.15',
# 4.21.x versions
'4.21.0', '4.21.14M',
# 4.22.x versions
'4.22.0', '4.22.11M',
# 4.23.x versions
'4.23.0', '4.23.8M',
# 4.24.x versions
'4.24.0', '4.24.6M',
# 4.25.x versions
'4.25.0', '4.25.4M',
# 4.26.x versions
'4.26.0', '4.26.1F'
]

# Check if the current device's software version is in the list of vulnerable versions
version_vulnerable = any(version in version_output for version in vulnerable_versions)

# If version is not vulnerable, no need to check further
if not version_vulnerable:
return

# Check if any users are configured with nopassword
users_config = str(commands.show_users)
has_nopassword_users = 'nopassword' in users_config

# Check if OpenConfig or TerminAttr agents are enabled
agents_config = str(commands.show_agents)
agents_enabled = 'openconfig' in agents_config or 'terminattr' in agents_config

# Device is vulnerable if it has nopassword users and agents enabled
is_vulnerable = has_nopassword_users and agents_enabled

# Assert that the device is not vulnerable
assert not is_vulnerable, (
f"Device {device.name} is vulnerable to CVE-2021-28500. "
"The device is running a vulnerable version AND has local users with nopassword configuration "
"while OpenConfig/TerminAttr agents are enabled, which could allow unrestricted access. "
"Recommended fixes:\n"
"1. Upgrade to one of the following fixed versions:\n"
" * 4.26.2F or later for 4.26.x train\n"
" * 4.25.5M or later for 4.25.x train\n"
" * 4.24.7M or later for 4.24.x train\n"
" * 4.23.9M or later for 4.23.x train\n"
" * 4.22.12M or later for 4.22.x train\n"
" * 4.21.15M or later for 4.21.x train\n"
"2. Until upgrade is complete, implement these workarounds:\n"
" * Remove nopassword configuration for local users\n"
" * Or apply the appropriate hotfix:\n"
" - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n"
" - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n"
"For more information, see "
"https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071"
)
63 changes: 63 additions & 0 deletions CVEasy/Arista/2021/cve202128501.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
from comfy import high


@high(
name='rule_cve202128501',
platform=['arista_eos'],
commands=dict(
show_version='show version',
show_terminattr='show running-config | include terminattr',
show_openconfig='show running-config | include openconfig',
show_users='show running-config | section username'
),
)
def rule_cve202128501(configuration, commands, device, devices):
"""
This rule checks for CVE-2021-28501 vulnerability in Arista EOS devices.
The vulnerability allows unrestricted access to the device for local users with nopassword
configuration due to incorrect use of EOS's AAA APIs by OpenConfig and TerminAttr agents.
"""
# Extract the version information from the command output
version_output = str(commands.show_version)

# List of vulnerable software versions
vulnerable_versions = [
# TerminAttr versions before 1.16.2
'1.15.0', '1.15.1', '1.15.2', '1.15.3',
'1.16.0', '1.16.1'
]

# Check if the current device's software version is in the list of vulnerable versions
version_vulnerable = any(version in version_output for version in vulnerable_versions)

# If version is not vulnerable, no need to check further
if not version_vulnerable:
return

# Check if TerminAttr or OpenConfig agents are enabled
terminattr_config = str(commands.show_terminattr)
openconfig_config = str(commands.show_openconfig)
agents_enabled = bool(terminattr_config or openconfig_config)

# Check if any users are configured with nopassword
users_config = str(commands.show_users)
has_nopassword_users = 'nopassword' in users_config

# Device is vulnerable if agents are enabled and has nopassword users
is_vulnerable = agents_enabled and has_nopassword_users

# Assert that the device is not vulnerable
assert not is_vulnerable, (
f"Device {device.name} is vulnerable to CVE-2021-28501. "
"The device is running a vulnerable version of TerminAttr AND has local users with nopassword configuration "
"while OpenConfig/TerminAttr agents are enabled, which could allow unrestricted access. "
"Recommended fixes:\n"
"1. Upgrade to TerminAttr v1.16.2 or later\n"
"2. Until upgrade is complete, implement these workarounds:\n"
" * Disable OpenConfig gNMI/gNOI and OpenConfig RESTCONF and TerminAttr\n"
" * Or apply the appropriate hotfix with proxy service:\n"
" - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n"
" - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n"
"For more information, see"
"https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071"
)
72 changes: 72 additions & 0 deletions CVEasy/Arista/2021/cve202128503.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
from comfy import high


@high(
name='rule_cve202128503',
platform=['arista_eos'],
commands=dict(
show_version='show version',
show_eapi='show management api http-commands',
show_cert_auth='show running-config | include certificate user'
),
)
def rule_cve202128503(configuration, commands, device, devices):
"""
This rule checks for CVE-2021-28503 vulnerability in Arista EOS devices.
The vulnerability allows remote attackers to bypass authentication when certificate-based
authentication is used with eAPI, due to improper credential re-evaluation.
"""
# Extract the version information from the command output
version_output = str(commands.show_version)

# List of vulnerable software versions
vulnerable_versions = [
# 4.23.x versions before 4.23.10
'4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4',
'4.23.5', '4.23.6', '4.23.7', '4.23.8', '4.23.9',
# 4.24.x versions before 4.24.8
'4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4',
'4.24.5', '4.24.6', '4.24.7',
# 4.25.x versions before 4.25.6
'4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5',
# 4.26.x versions before 4.26.3
'4.26.0', '4.26.1', '4.26.2'
]

# Check if the current device's software version is in the list of vulnerable versions
version_vulnerable = any(version in version_output for version in vulnerable_versions)

# If version is not vulnerable, no need to check further
if not version_vulnerable:
return

# Check if eAPI is enabled
eapi_config = str(commands.show_eapi)
eapi_enabled = 'enabled' in eapi_config.lower()

# Check if certificate-based authentication is configured
cert_config = str(commands.show_cert_auth)
cert_auth_enabled = 'certificate user' in cert_config

# Device is vulnerable if both eAPI and certificate auth are enabled
is_vulnerable = eapi_enabled and cert_auth_enabled

# Assert that the device is not vulnerable
assert not is_vulnerable, (
f"Device {device.name} is vulnerable to CVE-2021-28503. "
"The device is running a vulnerable version AND has eAPI enabled with certificate-based authentication, "
"which could allow remote attackers to bypass authentication. "
"Recommended fixes:\n"
"1. Upgrade to one of the following fixed versions:\n"
" * 4.26.3 or later for 4.26.x train\n"
" * 4.25.6 or later for 4.25.x train\n"
" * 4.24.8 or later for 4.24.x train\n"
" * 4.23.10 or later for 4.23.x train\n"
"2. Until upgrade is complete, implement this workaround:\n"
" * Disable certificate-based authentication for eAPI:\n"
" switch(config)#management security\n"
" switch(config-mgmt-security)#ssl profile profileEAPI\n"
" switch(config-mgmt-sec-ssl-profile-profileEAPI)#no trust certificate user.cert\n"
"For more information, see"
"https://www.arista.com/en/support/advisories-notices/security-advisory/13605-security-advisory-0072"
)
64 changes: 64 additions & 0 deletions CVEasy/Arista/2021/cve202128504.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
from comfy import high


@high(
name='rule_cve202128504',
platform=['arista_eos'],
commands=dict(
show_version='show version',
show_tcam='show hardware tcam profile',
show_acl='show running-config | section ip access-list'
),
)
def rule_cve202128504(configuration, commands, device, devices):
"""
This rule checks for CVE-2021-28504 vulnerability in Arista EOS devices.
The vulnerability occurs on Strata family products when TCAM profile is enabled and
port IPv4 access-lists contain rules matching VXLAN protocol, causing subsequent rules
to not match IP protocol fields as expected.
"""
# Extract the version information from the command output
version_output = str(commands.show_version)

# List of vulnerable software versions
vulnerable_versions = [
# 4.26.x versions before 4.26.4F
'4.26.0', '4.26.1F', '4.26.2F', '4.26.3F',
# 4.27.x versions before 4.27.1M
'4.27.0F'
]

# Check if the current device's software version is in the list of vulnerable versions
version_vulnerable = any(version in version_output for version in vulnerable_versions)

# If version is not vulnerable, no need to check further
if not version_vulnerable:
return

# Check if TCAM profile feature is enabled
tcam_output = str(commands.show_tcam)
tcam_enabled = 'Profile:' in tcam_output

# Check if any ACL has VXLAN protocol matching
acl_config = str(commands.show_acl)
has_vxlan_acl = 'protocol vxlan' in acl_config.lower()

# Device is vulnerable if TCAM profile is enabled and has VXLAN protocol matching in ACLs
is_vulnerable = tcam_enabled and has_vxlan_acl

# Assert that the device is not vulnerable
assert not is_vulnerable, (
f"Device {device.name} is vulnerable to CVE-2021-28504. "
"The device is running a vulnerable version AND has TCAM profile enabled with ACLs matching VXLAN protocol, "
"which could cause subsequent ACL rules to not match IP protocol fields correctly. "
"Recommended fixes:\n"
"1. Upgrade to one of the following fixed versions:\n"
" * 4.26.4F or later for 4.26.x train\n"
" * 4.27.1M or later for 4.27.x train\n"
"2. Until upgrade is complete, implement this workaround:\n"
" * Replace 'protocol vxlan' matches in ACLs with:\n"
" - protocol udp\n"
" - destination port 4789 (or configured VXLAN port)\n"
"For more information, see"
"https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073"
)
Loading
Loading