{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6437", "assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7", "state": "PUBLISHED", "assignerShortName": "Arista", "dateReserved": "2024-07-01T22:29:33.582Z", "datePublished": "2025-01-10T20:06:36.034Z", "dateUpdated": "2025-01-10T21:12:37.972Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "EOS-Policy Based Routing (PBR)", "vendor": "Arista Networks", "versions": [{"lessThanOrEqual": "4.32.1F", "status": "affected", "version": "4.32.0F", "versionType": "custom"}, {"lessThanOrEqual": "4.31.4M", "status": "affected", "version": "4.31.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.30.7M", "status": "affected", "version": "4.30.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.29.9M", "status": "affected", "version": "4.29.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.28.11M", "status": "affected", "version": "4.28.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.27.12M", "status": "affected", "version": "4.27.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.26.14M", "status": "affected", "version": "4.26.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.25.11M", "status": "affected", "version": "4.25.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.24.11M", "status": "affected", "version": "4.24.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.23.15M", "status": "affected", "version": "4.23.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.22.13M", "status": "affected", "version": "4.22.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.21.15M", "status": "affected", "version": "4.21.0M", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "EOS - BGP Flowspec", "vendor": "Arista Networks", "versions": [{"lessThanOrEqual": "4.32.1F", "status": "affected", "version": "4.32.0F", "versionType": "custom"}, {"lessThanOrEqual": "4.31.4M", "status": "affected", "version": "4.31.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.30.7M", "status": "affected", "version": "4.30.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.29.9M", "status": "affected", "version": "4.29.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.28.11M", "status": "affected", "version": "4.28.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.27.12M", "status": "affected", "version": "4.27.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.26.14M", "status": "affected", "version": "4.26.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.25.11M", "status": "affected", "version": "4.25.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.24.11M", "status": "affected", "version": "4.24.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.23.15M", "status": "affected", "version": "4.23.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.22.13M", "status": "affected", "version": "4.22.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.21.15M", "status": "affected", "version": "4.21.3F", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "EOS - Interface Traffic Policy", "vendor": "Arista Networks", "versions": [{"lessThanOrEqual": "4.32.1F", "status": "affected", "version": "4.32.0F", "versionType": "custom"}, {"lessThanOrEqual": "4.31.4M", "status": "affected", "version": "4.31.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.30.7M", "status": "affected", "version": "4.30.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.29.9M", "status": "affected", "version": "4.29.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.28.11M", "status": "affected", "version": "4.28.0M", "versionType": "custom"}, {"lessThanOrEqual": "4.27.12F", "status": "affected", "version": "4.27.2F", "versionType": "custom"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In order to be vulnerable to CVE-2024-6437, <b>one</b>&nbsp;of the following <b>three</b>&nbsp;conditions must be met:</p><h4>Policy Based Routing (PBR)</h4><p><b>(1)</b>&nbsp;A PBR policy must be configured with a rule which redirects to a next hop or set of next hops.</p><pre>switch(config)#show policy-map type pbr\nService policy pmap1\n&nbsp; Configured on: Ethernet20/1\n&nbsp; Applied on: &nbsp; Ethernet20/1\n&nbsp; 10: Single match statement\n&nbsp; &nbsp; Match:\n&nbsp; &nbsp; &nbsp; &nbsp; 0 permit ip any host 10.2.1.1\n&nbsp; &nbsp; Configured actions: set nexthop 10.20.1.1\n&nbsp; &nbsp; Active routing action:\n&nbsp; &nbsp; VRF default\n&nbsp; &nbsp; &nbsp; &nbsp; Route to nexthop 10.20.1.1 default\n&nbsp; 20: Single match statement\n&nbsp; &nbsp; Match:\n&nbsp; &nbsp; &nbsp; &nbsp; 0 permit ip any host 10.3.1.1\n&nbsp; &nbsp; Configured actions: set nexthop 10.20.2.1\n&nbsp; &nbsp; Active routing action:\n&nbsp; &nbsp; VRF default\n&nbsp; &nbsp; &nbsp; &nbsp; Route to nexthop 10.20.2.1 default\n&nbsp; 30: Single match statement\n&nbsp; &nbsp; Match:\n&nbsp; &nbsp; &nbsp; &nbsp; 0 permit ip 10.50.1.0/24 any\n&nbsp; &nbsp; Configured actions: set nexthop 10.20.3.1\n&nbsp; &nbsp; Active routing action:\n&nbsp; &nbsp; VRF default\n&nbsp; &nbsp; &nbsp; &nbsp; Route to nexthop 10.20.3.1 default\n&nbsp; 40: Single match statement\n&nbsp; &nbsp; Match:\n&nbsp; &nbsp; &nbsp; &nbsp; <span style=\"background-color: rgb(255, 255, 0);\">0 permit ip any any</span>\n <span style=\"background-color: rgb(255, 255, 0);\">Configured actions: set nexthop 10.20.4.1</span>\n&nbsp; &nbsp; Active routing action:\n&nbsp; &nbsp; VRF default\n&nbsp; &nbsp; &nbsp; &nbsp; Route to nexthop 10.20.4.1 default\n</pre><div>&nbsp;</div><p>With this configuration, any packet that does not match the PBR match rules will fall through and match the \"default\" match-all rule and should get redirected to the next hop <b>10.20.4.1</b>.</p><h4>BGP Flowspec</h4><p>OR</p><p><b>(2)</b>&nbsp;A BGP Flowspec must be configured with a rule which redirects to a next hop or set of next hops.</p><pre>switch#show flow-spec ipv4\nFlow specification rules for VRF default\nConfigured on: Ethernet20/1\nApplied on: Ethernet20/1\n&nbsp; Flow-spec rule: 10.100.0.0/16;*;\n&nbsp; &nbsp; Rule identifier: 1\n&nbsp; &nbsp; Matches:\n&nbsp; &nbsp; &nbsp; Destination prefix: 10.100.0.0/16\n&nbsp; &nbsp; Actions:\n&nbsp; &nbsp; &nbsp; <span style=\"background-color: rgb(255, 255, 0);\">Redirect: VRF default</span>\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span style=\"background-color: rgb(255, 255, 0);\">Route via next hop 10.20.4.1</span>\n&nbsp; &nbsp; Status:\n&nbsp; &nbsp; &nbsp; Installed: yes\n&nbsp; &nbsp; &nbsp; Counter: 0 packets, 0 bytes\n</pre><div>&nbsp;</div><p>With this configuration, all traffic ingressing <b>Ethernet20/1</b>&nbsp;with destination addresses in the <b>10.100.0.0/16</b>&nbsp;subnet should get redirected to the next hop <b>10.20.4.1</b>.</p><h4>Interface Traffic Policy</h4><p>OR</p><p><b>(3)</b>&nbsp;An interface traffic policy must be configured with a rule that redirects to a next hop or set of next hops.</p><pre>switch#show traffic-policy interface\nTraffic policy foo\n&nbsp; &nbsp;Configured on input of interfaces: Ethernet20/1\n&nbsp; &nbsp;Applied on input of interfaces for IPv4 traffic: Ethernet20/1\n&nbsp; &nbsp;Applied on input of interfaces for IPv6 traffic:\n&nbsp; &nbsp;Applied on input of interfaces for MAC traffic:\n&nbsp; &nbsp;Configured on output of interfaces:\n&nbsp; &nbsp;Applied on output of interfaces for IPv4 traffic:\n&nbsp; &nbsp;Applied on output of interfaces for IPv6 traffic:\n&nbsp; &nbsp;Total number of rules configured: 3\n&nbsp; &nbsp; &nbsp; match rule1 ipv4\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Destination prefix: 10.100.0.0/16\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span style=\"background-color: rgb(255, 255, 0);\">Actions: Redirect next hop 10.20.4.1</span>\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span style=\"background-color: rgb(255, 255, 0);\">Active routing action:</span>\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span style=\"background-color: rgb(255, 255, 0);\">VRF default</span>\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span style=\"background-color: rgb(255, 255, 0);\">Route via next hop 10.20.4.1 VRF default</span>\n&nbsp; &nbsp; &nbsp; match ipv4-all-default ipv4\n&nbsp; &nbsp; &nbsp; match ipv6-all-default ipv6\n</pre><div>&nbsp;</div><p>With this configuration, all traffic ingressing <b>Ethernet20/1</b>&nbsp;with destination addresses in the <b>10.100.0.0/16</b>&nbsp;subnet should get redirected to the next hop <b>10.20.4.1</b>.</p><br>"}], "value": "In order to be vulnerable to CVE-2024-6437, one\u00a0of the following three\u00a0conditions must be met:\n\nPolicy Based Routing (PBR)(1)\u00a0A PBR policy must be configured with a rule which redirects to a next hop or set of next hops.\n\nswitch(config)#show policy-map type pbr\nService policy pmap1\n\u00a0 Configured on: Ethernet20/1\n\u00a0 Applied on: \u00a0 Ethernet20/1\n\u00a0 10: Single match statement\n\u00a0 \u00a0 Match:\n\u00a0 \u00a0 \u00a0 \u00a0 0 permit ip any host 10.2.1.1\n\u00a0 \u00a0 Configured actions: set nexthop 10.20.1.1\n\u00a0 \u00a0 Active routing action:\n\u00a0 \u00a0 VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 Route to nexthop 10.20.1.1 default\n\u00a0 20: Single match statement\n\u00a0 \u00a0 Match:\n\u00a0 \u00a0 \u00a0 \u00a0 0 permit ip any host 10.3.1.1\n\u00a0 \u00a0 Configured actions: set nexthop 10.20.2.1\n\u00a0 \u00a0 Active routing action:\n\u00a0 \u00a0 VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 Route to nexthop 10.20.2.1 default\n\u00a0 30: Single match statement\n\u00a0 \u00a0 Match:\n\u00a0 \u00a0 \u00a0 \u00a0 0 permit ip 10.50.1.0/24 any\n\u00a0 \u00a0 Configured actions: set nexthop 10.20.3.1\n\u00a0 \u00a0 Active routing action:\n\u00a0 \u00a0 VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 Route to nexthop 10.20.3.1 default\n\u00a0 40: Single match statement\n\u00a0 \u00a0 Match:\n\u00a0 \u00a0 \u00a0 \u00a0 0 permit ip any any\n Configured actions: set nexthop 10.20.4.1\n\u00a0 \u00a0 Active routing action:\n\u00a0 \u00a0 VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 Route to nexthop 10.20.4.1 default\n\n\n\u00a0\n\nWith this configuration, any packet that does not match the PBR match rules will fall through and match the \"default\" match-all rule and should get redirected to the next hop 10.20.4.1.\n\nBGP FlowspecOR\n\n(2)\u00a0A BGP Flowspec must be configured with a rule which redirects to a next hop or set of next hops.\n\nswitch#show flow-spec ipv4\nFlow specification rules for VRF default\nConfigured on: Ethernet20/1\nApplied on: Ethernet20/1\n\u00a0 Flow-spec rule: 10.100.0.0/16;*;\n\u00a0 \u00a0 Rule identifier: 1\n\u00a0 \u00a0 Matches:\n\u00a0 \u00a0 \u00a0 Destination prefix: 10.100.0.0/16\n\u00a0 \u00a0 Actions:\n\u00a0 \u00a0 \u00a0 Redirect: VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Route via next hop 10.20.4.1\n\u00a0 \u00a0 Status:\n\u00a0 \u00a0 \u00a0 Installed: yes\n\u00a0 \u00a0 \u00a0 Counter: 0 packets, 0 bytes\n\n\n\u00a0\n\nWith this configuration, all traffic ingressing Ethernet20/1\u00a0with destination addresses in the 10.100.0.0/16\u00a0subnet should get redirected to the next hop 10.20.4.1.\n\nInterface Traffic PolicyOR\n\n(3)\u00a0An interface traffic policy must be configured with a rule that redirects to a next hop or set of next hops.\n\nswitch#show traffic-policy interface\nTraffic policy foo\n\u00a0 \u00a0Configured on input of interfaces: Ethernet20/1\n\u00a0 \u00a0Applied on input of interfaces for IPv4 traffic: Ethernet20/1\n\u00a0 \u00a0Applied on input of interfaces for IPv6 traffic:\n\u00a0 \u00a0Applied on input of interfaces for MAC traffic:\n\u00a0 \u00a0Configured on output of interfaces:\n\u00a0 \u00a0Applied on output of interfaces for IPv4 traffic:\n\u00a0 \u00a0Applied on output of interfaces for IPv6 traffic:\n\u00a0 \u00a0Total number of rules configured: 3\n\u00a0 \u00a0 \u00a0 match rule1 ipv4\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0Destination prefix: 10.100.0.0/16\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0Actions: Redirect next hop 10.20.4.1\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Active routing action:\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Route via next hop 10.20.4.1 VRF default\n\u00a0 \u00a0 \u00a0 match ipv4-all-default ipv4\n\u00a0 \u00a0 \u00a0 match ipv6-all-default ipv6\n\n\n\u00a0\n\nWith this configuration, all traffic ingressing Ethernet20/1\u00a0with destination addresses in the 10.100.0.0/16\u00a0subnet should get redirected to the next hop 10.20.4.1."}], "datePublic": "2024-12-05T19:46:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">On affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy -- certain IP traffic such as IPv4 packets with IP options may bypass the feature's </span><b>set nexthop</b><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;action and be slow-path forwarded (FIB routed) by the kernel as the packets are trapped to the CPU instead of following the redirect action's destination.</span><br>"}], "value": "On affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy -- certain IP traffic such as IPv4 packets with IP options may bypass the feature's set nexthop\u00a0action and be slow-path forwarded (FIB routed) by the kernel as the packets are trapped to the CPU instead of following the redirect action's destination."}], "impacts": [{"capecId": "CAPEC-124", "descriptions": [{"lang": "en", "value": "CAPEC-124 Shared Resource Manipulation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"description": "cwe-1220", "lang": "en"}]}], "providerMetadata": {"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7", "shortName": "Arista", "dateUpdated": "2025-01-10T20:06:36.034Z"}, "references": [{"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/20689-security-advisory-0108"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The recommended resolution is to upgrade to a remediated software version that contains the <b>ip software forwarding options action drop</b>&nbsp;CLI command, and configure the command at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\">EOS User Manual: Upgrades and Downgrades</a></p><p>CVE-2024-6437 has been fixed in the following releases:</p><ul><li>4.32.2F and later releases in the 4.32.x train</li><li>4.31.5M and later releases in the 4.31.x train</li><li>4.30.8M and later releases in the 4.30.x train</li><li>4.29.10M and later releases in the 4.29.x train</li></ul><br>"}], "value": "The recommended resolution is to upgrade to a remediated software version that contains the ip software forwarding options action drop\u00a0CLI command, and configure the command at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2024-6437 has been fixed in the following releases:\n\n * 4.32.2F and later releases in the 4.32.x train\n * 4.31.5M and later releases in the 4.31.x train\n * 4.30.8M and later releases in the 4.30.x train\n * 4.29.10M and later releases in the 4.29.x train"}], "source": {"advisory": "108", "defect": ["BUG 962149"], "discovery": "EXTERNAL"}, "title": "On affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy -- certain IP traffic such as IPv4 packets with IP options ma", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>For all affected systems, the suggested mitigation for all three affected features is to drop all IPv4 options traffic via the <b>ip software forwarding options action drop</b>, available in 4.32.2F and later releases in the 4.32 train, 4.31.5M and later releases in the 4.31 train, and 4.30.8M and later releases in the 4.30 train. The command installs an <b>iptables</b>&nbsp;rule that drops all IPv4 options traffic in the filter table of the <b>FORWARD</b>&nbsp;chain.</p><pre>switch(config)#<span style=\"background-color: rgb(255, 255, 0);\">ip software forwarding options action drop</span>\n \n# Below is shown to illustrate what the rule does. This is not a command that needs to be run.\n \nswitch(config)#bash sudo iptables -vnL EOS_FORWARD\nChain EOS_FORWARD (1 references)\n&nbsp;pkts bytes target &nbsp; &nbsp; prot opt in &nbsp; &nbsp; out &nbsp; &nbsp; source &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; destination\n&nbsp; &nbsp; 0 &nbsp; &nbsp; 0 DROP &nbsp; &nbsp; &nbsp; all -- * &nbsp; &nbsp; * &nbsp; &nbsp; &nbsp; 0.0.0.0/0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0.0.0.0/0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; u32 ! \"0x0&gt;&gt;0x18=0x45\"\n&nbsp; &nbsp; 0 &nbsp; &nbsp; 0 REJECT &nbsp; &nbsp; all -- * &nbsp; &nbsp; fwd+ &nbsp; 0.0.0.0/0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0.0.0.0/0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; u32 ! \"0x0&gt;&gt;0x18=0x45\" reject-with icmp-admin-prohibited\n&nbsp; &nbsp; 0 &nbsp; &nbsp; 0 DROP &nbsp; &nbsp; &nbsp; all -- * &nbsp; &nbsp; ma+ &nbsp; &nbsp; 0.0.0.0/0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0.0.0.0/0\n&nbsp; &nbsp; 0 &nbsp; &nbsp; 0 ACCEPT &nbsp; &nbsp; all -- * &nbsp; &nbsp; * &nbsp; &nbsp; !127.0.0.0/8 &nbsp; &nbsp; &nbsp; &nbsp; !127.0.0.0/8\n</pre><div>&nbsp;</div><p>Additionally, in 7280R3, 7500R3, and 7800R3 systems, the <b><i>system-rule overriding-action redirect</i></b>&nbsp;command (present in EOS-4.28.0F and newer releases) can be used to allow for all of the affected features' <b>set nexthop</b>&nbsp;action to take precedence over the system ACL's trap action to CPU. See <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/support/toi/eos-4-28-0f/15280-tcam-redirect-action-overriding-system-rules\">TCAM redirect action overriding system rules - TOI</a>&nbsp;for more information.</p><br>"}], "value": "For all affected systems, the suggested mitigation for all three affected features is to drop all IPv4 options traffic via the ip software forwarding options action drop, available in 4.32.2F and later releases in the 4.32 train, 4.31.5M and later releases in the 4.31 train, and 4.30.8M and later releases in the 4.30 train. The command installs an iptables\u00a0rule that drops all IPv4 options traffic in the filter table of the FORWARD\u00a0chain.\n\nswitch(config)#ip software forwarding options action drop\n \n# Below is shown to illustrate what the rule does. This is not a command that needs to be run.\n \nswitch(config)#bash sudo iptables -vnL EOS_FORWARD\nChain EOS_FORWARD (1 references)\n\u00a0pkts bytes target \u00a0 \u00a0 prot opt in \u00a0 \u00a0 out \u00a0 \u00a0 source \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination\n\u00a0 \u00a0 0 \u00a0 \u00a0 0 DROP \u00a0 \u00a0 \u00a0 all -- * \u00a0 \u00a0 * \u00a0 \u00a0 \u00a0 0.0.0.0/0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.0.0.0/0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 u32 ! \"0x0>>0x18=0x45\"\n\u00a0 \u00a0 0 \u00a0 \u00a0 0 REJECT \u00a0 \u00a0 all -- * \u00a0 \u00a0 fwd+ \u00a0 0.0.0.0/0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.0.0.0/0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 u32 ! \"0x0>>0x18=0x45\" reject-with icmp-admin-prohibited\n\u00a0 \u00a0 0 \u00a0 \u00a0 0 DROP \u00a0 \u00a0 \u00a0 all -- * \u00a0 \u00a0 ma+ \u00a0 \u00a0 0.0.0.0/0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.0.0.0/0\n\u00a0 \u00a0 0 \u00a0 \u00a0 0 ACCEPT \u00a0 \u00a0 all -- * \u00a0 \u00a0 * \u00a0 \u00a0 !127.0.0.0/8 \u00a0 \u00a0 \u00a0 \u00a0 !127.0.0.0/8\n\n\n\u00a0\n\nAdditionally, in 7280R3, 7500R3, and 7800R3 systems, the system-rule overriding-action redirect\u00a0command (present in EOS-4.28.0F and newer releases) can be used to allow for all of the affected features' set nexthop\u00a0action to take precedence over the system ACL's trap action to CPU. See TCAM redirect action overriding system rules - TOI https://www.arista.com/en/support/toi/eos-4-28-0f/15280-tcam-redirect-action-overriding-system-rules \u00a0for more information."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-10T21:12:08.840985Z", "id": "CVE-2024-6437", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-10T21:12:37.972Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6437", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-10T21:12:08.840985Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-10T21:12:31.502Z"}}], "cna": {"title": "On affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy -- certain IP traffic such as IPv4 packets with IP options ma", "source": {"defect": ["BUG 962149"], "advisory": "108", "discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-124", "descriptions": [{"lang": "en", "value": "CAPEC-124 Shared Resource Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Arista Networks", "product": "EOS-Policy Based Routing (PBR)", "versions": [{"status": "affected", "version": "4.32.0F", "versionType": "custom", "lessThanOrEqual": "4.32.1F"}, {"status": "affected", "version": "4.31.0M", "versionType": "custom", "lessThanOrEqual": "4.31.4M"}, {"status": "affected", "version": "4.30.0M", "versionType": "custom", "lessThanOrEqual": "4.30.7M"}, {"status": "affected", "version": "4.29.0M", "versionType": "custom", "lessThanOrEqual": "4.29.9M"}, {"status": "affected", "version": "4.28.0M", "versionType": "custom", "lessThanOrEqual": "4.28.11M"}, {"status": "affected", "version": "4.27.0M", "versionType": "custom", "lessThanOrEqual": "4.27.12M"}, {"status": "affected", "version": "4.26.0M", "versionType": "custom", "lessThanOrEqual": "4.26.14M"}, {"status": "affected", "version": "4.25.0M", "versionType": "custom", "lessThanOrEqual": "4.25.11M"}, {"status": "affected", "version": "4.24.0M", "versionType": "custom", "lessThanOrEqual": "4.24.11M"}, {"status": "affected", "version": "4.23.0M", "versionType": "custom", "lessThanOrEqual": "4.23.15M"}, {"status": "affected", "version": "4.22.0M", "versionType": "custom", "lessThanOrEqual": "4.22.13M"}, {"status": "affected", "version": "4.21.0M", "versionType": "custom", "lessThanOrEqual": "4.21.15M"}], "defaultStatus": "unaffected"}, {"vendor": "Arista Networks", "product": "EOS - BGP Flowspec", "versions": [{"status": "affected", "version": "4.32.0F", "versionType": "custom", "lessThanOrEqual": "4.32.1F"}, {"status": "affected", "version": "4.31.0M", "versionType": "custom", "lessThanOrEqual": "4.31.4M"}, {"status": "affected", "version": "4.30.0M", "versionType": "custom", "lessThanOrEqual": "4.30.7M"}, {"status": "affected", "version": "4.29.0M", "versionType": "custom", "lessThanOrEqual": "4.29.9M"}, {"status": "affected", "version": "4.28.0M", "versionType": "custom", "lessThanOrEqual": "4.28.11M"}, {"status": "affected", "version": "4.27.0M", "versionType": "custom", "lessThanOrEqual": "4.27.12M"}, {"status": "affected", "version": "4.26.0M", "versionType": "custom", "lessThanOrEqual": "4.26.14M"}, {"status": "affected", "version": "4.25.0M", "versionType": "custom", "lessThanOrEqual": "4.25.11M"}, {"status": "affected", "version": "4.24.0M", "versionType": "custom", "lessThanOrEqual": "4.24.11M"}, {"status": "affected", "version": "4.23.0M", "versionType": "custom", "lessThanOrEqual": "4.23.15M"}, {"status": "affected", "version": "4.22.0M", "versionType": "custom", "lessThanOrEqual": "4.22.13M"}, {"status": "affected", "version": "4.21.3F", "versionType": "custom", "lessThanOrEqual": "4.21.15M"}], "defaultStatus": "unaffected"}, {"vendor": "Arista Networks", "product": "EOS - Interface Traffic Policy", "versions": [{"status": "affected", "version": "4.32.0F", "versionType": "custom", "lessThanOrEqual": "4.32.1F"}, {"status": "affected", "version": "4.31.0M", "versionType": "custom", "lessThanOrEqual": "4.31.4M"}, {"status": "affected", "version": "4.30.0M", "versionType": "custom", "lessThanOrEqual": "4.30.7M"}, {"status": "affected", "version": "4.29.0M", "versionType": "custom", "lessThanOrEqual": "4.29.9M"}, {"status": "affected", "version": "4.28.0M", "versionType": "custom", "lessThanOrEqual": "4.28.11M"}, {"status": "affected", "version": "4.27.2F", "versionType": "custom", "lessThanOrEqual": "4.27.12F"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The recommended resolution is to upgrade to a remediated software version that contains the ip software forwarding options action drop\u00a0CLI command, and configure the command at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2024-6437 has been fixed in the following releases:\n\n * 4.32.2F and later releases in the 4.32.x train\n * 4.31.5M and later releases in the 4.31.x train\n * 4.30.8M and later releases in the 4.30.x train\n * 4.29.10M and later releases in the 4.29.x train", "supportingMedia": [{"type": "text/html", "value": "<p>The recommended resolution is to upgrade to a remediated software version that contains the <b>ip software forwarding options action drop</b>&nbsp;CLI command, and configure the command at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\">EOS User Manual: Upgrades and Downgrades</a></p><p>CVE-2024-6437 has been fixed in the following releases:</p><ul><li>4.32.2F and later releases in the 4.32.x train</li><li>4.31.5M and later releases in the 4.31.x train</li><li>4.30.8M and later releases in the 4.30.x train</li><li>4.29.10M and later releases in the 4.29.x train</li></ul><br>", "base64": false}]}], "datePublic": "2024-12-05T19:46:00.000Z", "references": [{"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/20689-security-advisory-0108"}], "workarounds": [{"lang": "en", "value": "For all affected systems, the suggested mitigation for all three affected features is to drop all IPv4 options traffic via the ip software forwarding options action drop, available in 4.32.2F and later releases in the 4.32 train, 4.31.5M and later releases in the 4.31 train, and 4.30.8M and later releases in the 4.30 train. The command installs an iptables\u00a0rule that drops all IPv4 options traffic in the filter table of the FORWARD\u00a0chain.\n\nswitch(config)#ip software forwarding options action drop\n \n# Below is shown to illustrate what the rule does. This is not a command that needs to be run.\n \nswitch(config)#bash sudo iptables -vnL EOS_FORWARD\nChain EOS_FORWARD (1 references)\n\u00a0pkts bytes target \u00a0 \u00a0 prot opt in \u00a0 \u00a0 out \u00a0 \u00a0 source \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination\n\u00a0 \u00a0 0 \u00a0 \u00a0 0 DROP \u00a0 \u00a0 \u00a0 all -- * \u00a0 \u00a0 * \u00a0 \u00a0 \u00a0 0.0.0.0/0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.0.0.0/0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 u32 ! \"0x0>>0x18=0x45\"\n\u00a0 \u00a0 0 \u00a0 \u00a0 0 REJECT \u00a0 \u00a0 all -- * \u00a0 \u00a0 fwd+ \u00a0 0.0.0.0/0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.0.0.0/0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 u32 ! \"0x0>>0x18=0x45\" reject-with icmp-admin-prohibited\n\u00a0 \u00a0 0 \u00a0 \u00a0 0 DROP \u00a0 \u00a0 \u00a0 all -- * \u00a0 \u00a0 ma+ \u00a0 \u00a0 0.0.0.0/0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.0.0.0/0\n\u00a0 \u00a0 0 \u00a0 \u00a0 0 ACCEPT \u00a0 \u00a0 all -- * \u00a0 \u00a0 * \u00a0 \u00a0 !127.0.0.0/8 \u00a0 \u00a0 \u00a0 \u00a0 !127.0.0.0/8\n\n\n\u00a0\n\nAdditionally, in 7280R3, 7500R3, and 7800R3 systems, the system-rule overriding-action redirect\u00a0command (present in EOS-4.28.0F and newer releases) can be used to allow for all of the affected features' set nexthop\u00a0action to take precedence over the system ACL's trap action to CPU. See TCAM redirect action overriding system rules - TOI https://www.arista.com/en/support/toi/eos-4-28-0f/15280-tcam-redirect-action-overriding-system-rules \u00a0for more information.", "supportingMedia": [{"type": "text/html", "value": "<p>For all affected systems, the suggested mitigation for all three affected features is to drop all IPv4 options traffic via the <b>ip software forwarding options action drop</b>, available in 4.32.2F and later releases in the 4.32 train, 4.31.5M and later releases in the 4.31 train, and 4.30.8M and later releases in the 4.30 train. The command installs an <b>iptables</b>&nbsp;rule that drops all IPv4 options traffic in the filter table of the <b>FORWARD</b>&nbsp;chain.</p><pre>switch(config)#<span style=\"background-color: rgb(255, 255, 0);\">ip software forwarding options action drop</span>\n \n# Below is shown to illustrate what the rule does. This is not a command that needs to be run.\n \nswitch(config)#bash sudo iptables -vnL EOS_FORWARD\nChain EOS_FORWARD (1 references)\n&nbsp;pkts bytes target &nbsp; &nbsp; prot opt in &nbsp; &nbsp; out &nbsp; &nbsp; source &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; destination\n&nbsp; &nbsp; 0 &nbsp; &nbsp; 0 DROP &nbsp; &nbsp; &nbsp; all -- * &nbsp; &nbsp; * &nbsp; &nbsp; &nbsp; 0.0.0.0/0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0.0.0.0/0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; u32 ! \"0x0&gt;&gt;0x18=0x45\"\n&nbsp; &nbsp; 0 &nbsp; &nbsp; 0 REJECT &nbsp; &nbsp; all -- * &nbsp; &nbsp; fwd+ &nbsp; 0.0.0.0/0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0.0.0.0/0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; u32 ! \"0x0&gt;&gt;0x18=0x45\" reject-with icmp-admin-prohibited\n&nbsp; &nbsp; 0 &nbsp; &nbsp; 0 DROP &nbsp; &nbsp; &nbsp; all -- * &nbsp; &nbsp; ma+ &nbsp; &nbsp; 0.0.0.0/0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0.0.0.0/0\n&nbsp; &nbsp; 0 &nbsp; &nbsp; 0 ACCEPT &nbsp; &nbsp; all -- * &nbsp; &nbsp; * &nbsp; &nbsp; !127.0.0.0/8 &nbsp; &nbsp; &nbsp; &nbsp; !127.0.0.0/8\n</pre><div>&nbsp;</div><p>Additionally, in 7280R3, 7500R3, and 7800R3 systems, the <b><i>system-rule overriding-action redirect</i></b>&nbsp;command (present in EOS-4.28.0F and newer releases) can be used to allow for all of the affected features' <b>set nexthop</b>&nbsp;action to take precedence over the system ACL's trap action to CPU. See <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/support/toi/eos-4-28-0f/15280-tcam-redirect-action-overriding-system-rules\">TCAM redirect action overriding system rules - TOI</a>&nbsp;for more information.</p><br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "On affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy -- certain IP traffic such as IPv4 packets with IP options may bypass the feature's set nexthop\u00a0action and be slow-path forwarded (FIB routed) by the kernel as the packets are trapped to the CPU instead of following the redirect action's destination.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">On affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy -- certain IP traffic such as IPv4 packets with IP options may bypass the feature's </span><b>set nexthop</b><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;action and be slow-path forwarded (FIB routed) by the kernel as the packets are trapped to the CPU instead of following the redirect action's destination.</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "cwe-1220"}]}], "configurations": [{"lang": "en", "value": "In order to be vulnerable to CVE-2024-6437, one\u00a0of the following three\u00a0conditions must be met:\n\nPolicy Based Routing (PBR)(1)\u00a0A PBR policy must be configured with a rule which redirects to a next hop or set of next hops.\n\nswitch(config)#show policy-map type pbr\nService policy pmap1\n\u00a0 Configured on: Ethernet20/1\n\u00a0 Applied on: \u00a0 Ethernet20/1\n\u00a0 10: Single match statement\n\u00a0 \u00a0 Match:\n\u00a0 \u00a0 \u00a0 \u00a0 0 permit ip any host 10.2.1.1\n\u00a0 \u00a0 Configured actions: set nexthop 10.20.1.1\n\u00a0 \u00a0 Active routing action:\n\u00a0 \u00a0 VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 Route to nexthop 10.20.1.1 default\n\u00a0 20: Single match statement\n\u00a0 \u00a0 Match:\n\u00a0 \u00a0 \u00a0 \u00a0 0 permit ip any host 10.3.1.1\n\u00a0 \u00a0 Configured actions: set nexthop 10.20.2.1\n\u00a0 \u00a0 Active routing action:\n\u00a0 \u00a0 VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 Route to nexthop 10.20.2.1 default\n\u00a0 30: Single match statement\n\u00a0 \u00a0 Match:\n\u00a0 \u00a0 \u00a0 \u00a0 0 permit ip 10.50.1.0/24 any\n\u00a0 \u00a0 Configured actions: set nexthop 10.20.3.1\n\u00a0 \u00a0 Active routing action:\n\u00a0 \u00a0 VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 Route to nexthop 10.20.3.1 default\n\u00a0 40: Single match statement\n\u00a0 \u00a0 Match:\n\u00a0 \u00a0 \u00a0 \u00a0 0 permit ip any any\n Configured actions: set nexthop 10.20.4.1\n\u00a0 \u00a0 Active routing action:\n\u00a0 \u00a0 VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 Route to nexthop 10.20.4.1 default\n\n\n\u00a0\n\nWith this configuration, any packet that does not match the PBR match rules will fall through and match the \"default\" match-all rule and should get redirected to the next hop 10.20.4.1.\n\nBGP FlowspecOR\n\n(2)\u00a0A BGP Flowspec must be configured with a rule which redirects to a next hop or set of next hops.\n\nswitch#show flow-spec ipv4\nFlow specification rules for VRF default\nConfigured on: Ethernet20/1\nApplied on: Ethernet20/1\n\u00a0 Flow-spec rule: 10.100.0.0/16;*;\n\u00a0 \u00a0 Rule identifier: 1\n\u00a0 \u00a0 Matches:\n\u00a0 \u00a0 \u00a0 Destination prefix: 10.100.0.0/16\n\u00a0 \u00a0 Actions:\n\u00a0 \u00a0 \u00a0 Redirect: VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Route via next hop 10.20.4.1\n\u00a0 \u00a0 Status:\n\u00a0 \u00a0 \u00a0 Installed: yes\n\u00a0 \u00a0 \u00a0 Counter: 0 packets, 0 bytes\n\n\n\u00a0\n\nWith this configuration, all traffic ingressing Ethernet20/1\u00a0with destination addresses in the 10.100.0.0/16\u00a0subnet should get redirected to the next hop 10.20.4.1.\n\nInterface Traffic PolicyOR\n\n(3)\u00a0An interface traffic policy must be configured with a rule that redirects to a next hop or set of next hops.\n\nswitch#show traffic-policy interface\nTraffic policy foo\n\u00a0 \u00a0Configured on input of interfaces: Ethernet20/1\n\u00a0 \u00a0Applied on input of interfaces for IPv4 traffic: Ethernet20/1\n\u00a0 \u00a0Applied on input of interfaces for IPv6 traffic:\n\u00a0 \u00a0Applied on input of interfaces for MAC traffic:\n\u00a0 \u00a0Configured on output of interfaces:\n\u00a0 \u00a0Applied on output of interfaces for IPv4 traffic:\n\u00a0 \u00a0Applied on output of interfaces for IPv6 traffic:\n\u00a0 \u00a0Total number of rules configured: 3\n\u00a0 \u00a0 \u00a0 match rule1 ipv4\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0Destination prefix: 10.100.0.0/16\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0Actions: Redirect next hop 10.20.4.1\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Active routing action:\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 VRF default\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Route via next hop 10.20.4.1 VRF default\n\u00a0 \u00a0 \u00a0 match ipv4-all-default ipv4\n\u00a0 \u00a0 \u00a0 match ipv6-all-default ipv6\n\n\n\u00a0\n\nWith this configuration, all traffic ingressing Ethernet20/1\u00a0with destination addresses in the 10.100.0.0/16\u00a0subnet should get redirected to the next hop 10.20.4.1.", "supportingMedia": [{"type": "text/html", "value": "<p>In order to be vulnerable to CVE-2024-6437, <b>one</b>&nbsp;of the following <b>three</b>&nbsp;conditions must be met:</p><h4>Policy Based Routing (PBR)</h4><p><b>(1)</b>&nbsp;A PBR policy must be configured with a rule which redirects to a next hop or set of next hops.</p><pre>switch(config)#show policy-map type pbr\nService policy pmap1\n&nbsp; Configured on: Ethernet20/1\n&nbsp; Applied on: &nbsp; Ethernet20/1\n&nbsp; 10: Single match statement\n&nbsp; &nbsp; Match:\n&nbsp; &nbsp; &nbsp; &nbsp; 0 permit ip any host 10.2.1.1\n&nbsp; &nbsp; Configured actions: set nexthop 10.20.1.1\n&nbsp; &nbsp; Active routing action:\n&nbsp; &nbsp; VRF default\n&nbsp; &nbsp; &nbsp; &nbsp; Route to nexthop 10.20.1.1 default\n&nbsp; 20: Single match statement\n&nbsp; &nbsp; Match:\n&nbsp; &nbsp; &nbsp; &nbsp; 0 permit ip any host 10.3.1.1\n&nbsp; &nbsp; Configured actions: set nexthop 10.20.2.1\n&nbsp; &nbsp; Active routing action:\n&nbsp; &nbsp; VRF default\n&nbsp; &nbsp; &nbsp; &nbsp; Route to nexthop 10.20.2.1 default\n&nbsp; 30: Single match statement\n&nbsp; &nbsp; Match:\n&nbsp; &nbsp; &nbsp; &nbsp; 0 permit ip 10.50.1.0/24 any\n&nbsp; &nbsp; Configured actions: set nexthop 10.20.3.1\n&nbsp; &nbsp; Active routing action:\n&nbsp; &nbsp; VRF default\n&nbsp; &nbsp; &nbsp; &nbsp; Route to nexthop 10.20.3.1 default\n&nbsp; 40: Single match statement\n&nbsp; &nbsp; Match:\n&nbsp; &nbsp; &nbsp; &nbsp; <span style=\"background-color: rgb(255, 255, 0);\">0 permit ip any any</span>\n <span style=\"background-color: rgb(255, 255, 0);\">Configured actions: set nexthop 10.20.4.1</span>\n&nbsp; &nbsp; Active routing action:\n&nbsp; &nbsp; VRF default\n&nbsp; &nbsp; &nbsp; &nbsp; Route to nexthop 10.20.4.1 default\n</pre><div>&nbsp;</div><p>With this configuration, any packet that does not match the PBR match rules will fall through and match the \"default\" match-all rule and should get redirected to the next hop <b>10.20.4.1</b>.</p><h4>BGP Flowspec</h4><p>OR</p><p><b>(2)</b>&nbsp;A BGP Flowspec must be configured with a rule which redirects to a next hop or set of next hops.</p><pre>switch#show flow-spec ipv4\nFlow specification rules for VRF default\nConfigured on: Ethernet20/1\nApplied on: Ethernet20/1\n&nbsp; Flow-spec rule: 10.100.0.0/16;*;\n&nbsp; &nbsp; Rule identifier: 1\n&nbsp; &nbsp; Matches:\n&nbsp; &nbsp; &nbsp; Destination prefix: 10.100.0.0/16\n&nbsp; &nbsp; Actions:\n&nbsp; &nbsp; &nbsp; <span style=\"background-color: rgb(255, 255, 0);\">Redirect: VRF default</span>\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span style=\"background-color: rgb(255, 255, 0);\">Route via next hop 10.20.4.1</span>\n&nbsp; &nbsp; Status:\n&nbsp; &nbsp; &nbsp; Installed: yes\n&nbsp; &nbsp; &nbsp; Counter: 0 packets, 0 bytes\n</pre><div>&nbsp;</div><p>With this configuration, all traffic ingressing <b>Ethernet20/1</b>&nbsp;with destination addresses in the <b>10.100.0.0/16</b>&nbsp;subnet should get redirected to the next hop <b>10.20.4.1</b>.</p><h4>Interface Traffic Policy</h4><p>OR</p><p><b>(3)</b>&nbsp;An interface traffic policy must be configured with a rule that redirects to a next hop or set of next hops.</p><pre>switch#show traffic-policy interface\nTraffic policy foo\n&nbsp; &nbsp;Configured on input of interfaces: Ethernet20/1\n&nbsp; &nbsp;Applied on input of interfaces for IPv4 traffic: Ethernet20/1\n&nbsp; &nbsp;Applied on input of interfaces for IPv6 traffic:\n&nbsp; &nbsp;Applied on input of interfaces for MAC traffic:\n&nbsp; &nbsp;Configured on output of interfaces:\n&nbsp; &nbsp;Applied on output of interfaces for IPv4 traffic:\n&nbsp; &nbsp;Applied on output of interfaces for IPv6 traffic:\n&nbsp; &nbsp;Total number of rules configured: 3\n&nbsp; &nbsp; &nbsp; match rule1 ipv4\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Destination prefix: 10.100.0.0/16\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span style=\"background-color: rgb(255, 255, 0);\">Actions: Redirect next hop 10.20.4.1</span>\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span style=\"background-color: rgb(255, 255, 0);\">Active routing action:</span>\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span style=\"background-color: rgb(255, 255, 0);\">VRF default</span>\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span style=\"background-color: rgb(255, 255, 0);\">Route via next hop 10.20.4.1 VRF default</span>\n&nbsp; &nbsp; &nbsp; match ipv4-all-default ipv4\n&nbsp; &nbsp; &nbsp; match ipv6-all-default ipv6\n</pre><div>&nbsp;</div><p>With this configuration, all traffic ingressing <b>Ethernet20/1</b>&nbsp;with destination addresses in the <b>10.100.0.0/16</b>&nbsp;subnet should get redirected to the next hop <b>10.20.4.1</b>.</p><br>", "base64": false}]}], "providerMetadata": {"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7", "shortName": "Arista", "dateUpdated": "2025-01-10T20:06:36.034Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6437", "state": "PUBLISHED", "dateUpdated": "2025-01-10T21:12:37.972Z", "dateReserved": "2024-07-01T22:29:33.582Z", "assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7", "datePublished": "2025-01-10T20:06:36.034Z", "assignerShortName": "Arista"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "On affected platforms running Arista EOS with one of the following features configured to redirect IP traffic to a next hop: policy-based routing (PBR), BGP Flowspec, or interface traffic policy -- certain IP traffic such as IPv4 packets with IP options may bypass the feature's set nexthop\u00a0action and be slow-path forwarded (FIB routed) by the kernel as the packets are trapped to the CPU instead of following the redirect action's destination."}], "id": "CVE-2024-6437", "lastModified": "2025-01-10T20:15:30.817", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "psirt@arista.com", "type": "Secondary"}]}, "published": "2025-01-10T20:15:30.817", "references": [{"source": "psirt@arista.com", "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/20689-security-advisory-0108"}], "sourceIdentifier": "psirt@arista.com", "vulnStatus": "Received"}

{}