Arista Edge Threat Management Remote Access Session Discovery Vulnerability

A vulnerability exists in Arista Edge Threat Management (ETM) for the Arista NG Firewall (NGFW) in versions through 17.1.1. This vulnerability allows specially crafted queries to discover active remote access sessions. The issue arises from expired and unusable administrator authentication tokens being revealed by units that have timed out from ETM access, creating a potential avenue for exploitation.

Impact

Exploitation of this vulnerability could lead to unauthorized discovery of active remote access sessions, potentially allowing for further exploitation or unauthorized actions within the NGFW.

Reproduction

To reproduce this vulnerability, log into the Edge Threat Management (ETM) interface and navigate to the target NGFW appliance. Click on 'Remote Access' and leave the connection active. Then, as the NGFW administrator, access the 'Admin Login Events' under the Reports section to check for invalid login attempts, which would indicate exploitation of the vulnerability.

Remediation

No specific remediation is available for this vulnerability, but users can upgrade to Arista NG Firewall version 17.2.