arista 2021 cves (#161)

* arista 2021 cves

* Fix flake8 and syntax errors in Arista CVE scripts

---------

Co-authored-by: mailsanjayhere <mailsanjayhere@gmail.com>

Author: netpicker

CVEasy/Arista/2021/__init__.py

@@ -0,0 +1,71 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202128496',
+    platform=['arista_eos'],
+    commands=dict(
+        show_version='show version',
+        show_bfd='show running-config | section bfd',
+        show_eapi='show management api http-commands'
+    ),
+)
+def rule_cve202128496(configuration, commands, device, devices):
+    """
+    This rule checks for CVE-2021-28496 vulnerability in Arista EOS devices.
+    The vulnerability allows BFD shared secret passwords to be leaked when displaying output
+    over eAPI or other JSON outputs to authenticated users on the device.
+    """
+    # Extract the version information from the command output
+    version_output = commands.show_version
+
+    # List of vulnerable software versions
+    vulnerable_versions = [
+        # 4.22.x versions (all releases)
+        '4.22.0', '4.22.12',
+        # 4.23.x versions (up to 4.23.9)
+        '4.23.0', '4.23.9',
+        # 4.24.x versions (up to 4.24.7)
+        '4.24.0', '4.24.7',
+        # 4.25.x versions (up to 4.25.4)
+        '4.25.0', '4.25.4',
+        # 4.26.x versions (up to 4.26.1)
+        '4.26.0', '4.26.1'
+    ]
+
+    # Check if the current device's software version is in the list of vulnerable versions
+    version_vulnerable = any(version in version_output for version in vulnerable_versions)
+
+    # If version is not vulnerable, no need to check further
+    if not version_vulnerable:
+        return
+
+    # Check if BFD is configured with shared secret profiles
+    bfd_config = commands.show_bfd
+    has_bfd_secrets = 'profile' in bfd_config and 'key-id' in bfd_config
+
+    # Check if eAPI is enabled
+    eapi_config = commands.show_eapi
+    eapi_enabled = 'enabled' in eapi_config.lower()
+
+    # Device is vulnerable if using BFD shared secrets and eAPI is enabled
+    is_vulnerable = has_bfd_secrets and eapi_enabled
+
+    # Assert that the device is not vulnerable
+    assert not is_vulnerable, (
+        f"Device {device.name} is vulnerable to CVE-2021-28496. "
+        "The device is running a vulnerable version AND has BFD shared secret profiles configured "
+        "with eAPI enabled, which could expose sensitive password information. "
+        "Recommended fixes:\n"
+        "1. Upgrade to one of the following fixed versions:\n"
+        "  * 4.23.10 or later for 4.23.x train\n"
+        "  * 4.24.8 or later for 4.24.x train\n"
+        "  * 4.25.5 or later for 4.25.x train\n"
+        "  * 4.26.2 or later for 4.26.x train\n"
+        "2. Or apply the appropriate hotfix:\n"
+        "  * For 4.22.0 - 4.25.0: SecurityAdvisory0069Hotfix-4.22-4.25.0.swix\n"
+        "  * For 4.25.1 - 4.26.1: SecurityAdvisory0069Hotfix-4.25.1-4.26.1.swix\n"
+        "3. As a workaround, restrict access to CLI show commands using role-based authorization\n"
+        "For more information, see"
+        "https://www.arista.com/en/support/advisories-notices/security-advisory/13243-security-advisory-0069"
+    )

CVEasy/Arista/2021/cve202128496.py

@@ -0,0 +1,78 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202128500',
+    platform=['arista_eos'],
+    commands=dict(
+        show_version='show version',
+        show_users='show running-config | section username',
+        show_agents='show running-config | include openconfig|terminattr'
+    ),
+)
+def rule_cve202128500(configuration, commands, device, devices):
+    """
+    This rule checks for CVE-2021-28500 vulnerability in Arista EOS devices.
+    The vulnerability allows unrestricted access to the device for local users with nopassword
+    configuration due to incorrect use of EOS's AAA APIs by OpenConfig and TerminAttr agents.
+    """
+    # Extract the version information from the command output
+    version_output = commands.show_version
+
+    # List of vulnerable software versions
+    vulnerable_versions = [
+        # 4.20.x and earlier versions
+        '4.20.0', '4.20.15',
+        # 4.21.x versions
+        '4.21.0', '4.21.14M',
+        # 4.22.x versions
+        '4.22.0', '4.22.11M',
+        # 4.23.x versions
+        '4.23.0', '4.23.8M',
+        # 4.24.x versions
+        '4.24.0', '4.24.6M',
+        # 4.25.x versions
+        '4.25.0', '4.25.4M',
+        # 4.26.x versions
+        '4.26.0', '4.26.1F'
+    ]
+
+    # Check if the current device's software version is in the list of vulnerable versions
+    version_vulnerable = any(version in version_output for version in vulnerable_versions)
+
+    # If version is not vulnerable, no need to check further
+    if not version_vulnerable:
+        return
+
+    # Check if any users are configured with nopassword
+    users_config = commands.show_users
+    has_nopassword_users = 'nopassword' in users_config
+
+    # Check if OpenConfig or TerminAttr agents are enabled
+    agents_config = commands.show_agents
+    agents_enabled = 'openconfig' in agents_config or 'terminattr' in agents_config
+
+    # Device is vulnerable if it has nopassword users and agents enabled
+    is_vulnerable = has_nopassword_users and agents_enabled
+
+    # Assert that the device is not vulnerable
+    assert not is_vulnerable, (
+        f"Device {device.name} is vulnerable to CVE-2021-28500. "
+        "The device is running a vulnerable version AND has local users with nopassword configuration "
+        "while OpenConfig/TerminAttr agents are enabled, which could allow unrestricted access. "
+        "Recommended fixes:\n"
+        "1. Upgrade to one of the following fixed versions:\n"
+        "  * 4.26.2F or later for 4.26.x train\n"
+        "  * 4.25.5M or later for 4.25.x train\n"
+        "  * 4.24.7M or later for 4.24.x train\n"
+        "  * 4.23.9M or later for 4.23.x train\n"
+        "  * 4.22.12M or later for 4.22.x train\n"
+        "  * 4.21.15M or later for 4.21.x train\n"
+        "2. Until upgrade is complete, implement these workarounds:\n"
+        "  * Remove nopassword configuration for local users\n"
+        "  * Or apply the appropriate hotfix:\n"
+        "    - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n"
+        "    - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n"
+        "For more information, see "
+        "https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071"
+    )

CVEasy/Arista/2021/cve202128500.py

@@ -0,0 +1,63 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202128501',
+    platform=['arista_eos'],
+    commands=dict(
+        show_version='show version',
+        show_terminattr='show running-config | include terminattr',
+        show_openconfig='show running-config | include openconfig',
+        show_users='show running-config | section username'
+    ),
+)
+def rule_cve202128501(configuration, commands, device, devices):
+    """
+    This rule checks for CVE-2021-28501 vulnerability in Arista EOS devices.
+    The vulnerability allows unrestricted access to the device for local users with nopassword
+    configuration due to incorrect use of EOS's AAA APIs by OpenConfig and TerminAttr agents.
+    """
+    # Extract the version information from the command output
+    version_output = commands.show_version
+
+    # List of vulnerable software versions
+    vulnerable_versions = [
+        # TerminAttr versions before 1.16.2
+        '1.15.0', '1.15.1', '1.15.2', '1.15.3',
+        '1.16.0', '1.16.1'
+    ]
+
+    # Check if the current device's software version is in the list of vulnerable versions
+    version_vulnerable = any(version in version_output for version in vulnerable_versions)
+
+    # If version is not vulnerable, no need to check further
+    if not version_vulnerable:
+        return
+
+    # Check if TerminAttr or OpenConfig agents are enabled
+    terminattr_config = commands.show_terminattr
+    openconfig_config = commands.show_openconfig
+    agents_enabled = bool(terminattr_config or openconfig_config)
+
+    # Check if any users are configured with nopassword
+    users_config = commands.show_users
+    has_nopassword_users = 'nopassword' in users_config
+
+    # Device is vulnerable if agents are enabled and has nopassword users
+    is_vulnerable = agents_enabled and has_nopassword_users
+
+    # Assert that the device is not vulnerable
+    assert not is_vulnerable, (
+        f"Device {device.name} is vulnerable to CVE-2021-28501. "
+        "The device is running a vulnerable version of TerminAttr AND has local users with nopassword configuration "
+        "while OpenConfig/TerminAttr agents are enabled, which could allow unrestricted access. "
+        "Recommended fixes:\n"
+        "1. Upgrade to TerminAttr v1.16.2 or later\n"
+        "2. Until upgrade is complete, implement these workarounds:\n"
+        "  * Disable OpenConfig gNMI/gNOI and OpenConfig RESTCONF and TerminAttr\n"
+        "  * Or apply the appropriate hotfix with proxy service:\n"
+        "    - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n"
+        "    - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n"
+        "For more information, see"
+        "https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071"
+    )

CVEasy/Arista/2021/cve202128501.py

@@ -0,0 +1,72 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202128503',
+    platform=['arista_eos'],
+    commands=dict(
+        show_version='show version',
+        show_eapi='show management api http-commands',
+        show_cert_auth='show running-config | include certificate user'
+    ),
+)
+def rule_cve202128503(configuration, commands, device, devices):
+    """
+    This rule checks for CVE-2021-28503 vulnerability in Arista EOS devices.
+    The vulnerability allows remote attackers to bypass authentication when certificate-based
+    authentication is used with eAPI, due to improper credential re-evaluation.
+    """
+    # Extract the version information from the command output
+    version_output = commands.show_version
+
+    # List of vulnerable software versions
+    vulnerable_versions = [
+        # 4.23.x versions before 4.23.10
+        '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4',
+        '4.23.5', '4.23.6', '4.23.7', '4.23.8', '4.23.9',
+        # 4.24.x versions before 4.24.8
+        '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4',
+        '4.24.5', '4.24.6', '4.24.7',
+        # 4.25.x versions before 4.25.6
+        '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5',
+        # 4.26.x versions before 4.26.3
+        '4.26.0', '4.26.1', '4.26.2'
+    ]
+
+    # Check if the current device's software version is in the list of vulnerable versions
+    version_vulnerable = any(version in version_output for version in vulnerable_versions)
+
+    # If version is not vulnerable, no need to check further
+    if not version_vulnerable:
+        return
+
+    # Check if eAPI is enabled
+    eapi_config = commands.show_eapi
+    eapi_enabled = 'enabled' in eapi_config.lower()
+
+    # Check if certificate-based authentication is configured
+    cert_config = commands.show_cert_auth
+    cert_auth_enabled = 'certificate user' in cert_config
+
+    # Device is vulnerable if both eAPI and certificate auth are enabled
+    is_vulnerable = eapi_enabled and cert_auth_enabled
+
+    # Assert that the device is not vulnerable
+    assert not is_vulnerable, (
+        f"Device {device.name} is vulnerable to CVE-2021-28503. "
+        "The device is running a vulnerable version AND has eAPI enabled with certificate-based authentication, "
+        "which could allow remote attackers to bypass authentication. "
+        "Recommended fixes:\n"
+        "1. Upgrade to one of the following fixed versions:\n"
+        "  * 4.26.3 or later for 4.26.x train\n"
+        "  * 4.25.6 or later for 4.25.x train\n"
+        "  * 4.24.8 or later for 4.24.x train\n"
+        "  * 4.23.10 or later for 4.23.x train\n"
+        "2. Until upgrade is complete, implement this workaround:\n"
+        "  * Disable certificate-based authentication for eAPI:\n"
+        "    switch(config)#management security\n"
+        "    switch(config-mgmt-security)#ssl profile profileEAPI\n"
+        "    switch(config-mgmt-sec-ssl-profile-profileEAPI)#no trust certificate user.cert\n"
+        "For more information, see"
+        "https://www.arista.com/en/support/advisories-notices/security-advisory/13605-security-advisory-0072"
+    )

CVEasy/Arista/2021/cve202128503.py

@@ -0,0 +1,64 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202128504',
+    platform=['arista_eos'],
+    commands=dict(
+        show_version='show version',
+        show_tcam='show hardware tcam profile',
+        show_acl='show running-config | section ip access-list'
+    ),
+)
+def rule_cve202128504(configuration, commands, device, devices):
+    """
+    This rule checks for CVE-2021-28504 vulnerability in Arista EOS devices.
+    The vulnerability occurs on Strata family products when TCAM profile is enabled and
+    port IPv4 access-lists contain rules matching VXLAN protocol, causing subsequent rules
+    to not match IP protocol fields as expected.
+    """
+    # Extract the version information from the command output
+    version_output = commands.show_version
+
+    # List of vulnerable software versions
+    vulnerable_versions = [
+        # 4.26.x versions before 4.26.4F
+        '4.26.0', '4.26.1F', '4.26.2F', '4.26.3F',
+        # 4.27.x versions before 4.27.1M
+        '4.27.0F'
+    ]
+
+    # Check if the current device's software version is in the list of vulnerable versions
+    version_vulnerable = any(version in version_output for version in vulnerable_versions)
+
+    # If version is not vulnerable, no need to check further
+    if not version_vulnerable:
+        return
+
+    # Check if TCAM profile feature is enabled
+    tcam_output = commands.show_tcam
+    tcam_enabled = 'Profile:' in tcam_output
+
+    # Check if any ACL has VXLAN protocol matching
+    acl_config = commands.show_acl
+    has_vxlan_acl = 'protocol vxlan' in acl_config.lower()
+
+    # Device is vulnerable if TCAM profile is enabled and has VXLAN protocol matching in ACLs
+    is_vulnerable = tcam_enabled and has_vxlan_acl
+
+    # Assert that the device is not vulnerable
+    assert not is_vulnerable, (
+        f"Device {device.name} is vulnerable to CVE-2021-28504. "
+        "The device is running a vulnerable version AND has TCAM profile enabled with ACLs matching VXLAN protocol, "
+        "which could cause subsequent ACL rules to not match IP protocol fields correctly. "
+        "Recommended fixes:\n"
+        "1. Upgrade to one of the following fixed versions:\n"
+        "  * 4.26.4F or later for 4.26.x train\n"
+        "  * 4.27.1M or later for 4.27.x train\n"
+        "2. Until upgrade is complete, implement this workaround:\n"
+        "  * Replace 'protocol vxlan' matches in ACLs with:\n"
+        "    - protocol udp\n"
+        "    - destination port 4789 (or configured VXLAN port)\n"
+        "For more information, see"
+        "https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073"
+    )