Arista CloudVision Zero Touch Provisioning Privilege Escalation Vulnerability

A vulnerability exists in Arista CloudVision systems, both virtual and physical on-premise deployments, allowing Zero Touch Provisioning (ZTP) to be exploited for unauthorized admin privileges. This elevated access, which exceeds necessary permissions, could be used to query or manipulate the system state of managed devices. CloudVision as-a-Service is not affected.

Impact

Exploitation of this vulnerability grants unauthorized admin privileges on the affected CloudVision system, allowing for excessive permissions that could be used to alter or query the system state of managed devices.

Remediation

The ZTP component can be disabled by running 'cvpi disable ztp' and 'cvpi stop ztp' on any node of the CloudVision deployment. After upgrading to a remediated version, ZTP can be re-enabled with 'cvpi enable ztp' and 'cvpi start ztp'. For more information on upgrading, consult the Arista CloudVision 2024.3 Help Center.