Arista Products Debug API Vulnerability Allowing Exposure of Sensitive Configuration Data

A vulnerability exists in multiple Arista products, including the CloudVision Appliance, Converged Cloud Fabric, DANZ Monitoring Fabric, and Multi-Cloud Director, all prior to their respective fixed versions. On these platforms, restricted users can access sensitive information from the configuration database through a debug API. This includes user password hashes, potentially leading to unauthorized access or privilege escalation.

Impact

Exploitation of this vulnerability allows restricted users to view sensitive information, such as password hashes, from the configuration database. This exposure could be leveraged to gain unauthorized access or escalate privileges.

Remediation

Users are advised to upgrade to the latest versions of each product that address this vulnerability. For CloudVision Appliance, version 7.1.0 and later is recommended. In Converged Cloud Fabric, version 6.2.5 and later should be used. For DANZ Monitoring Fabric, versions 8.7.1, 8.6.2, 8.5.3, and 8.4.6 are available. Multi-Cloud Director users should upgrade to version 2.4.1 or later.