Arista CloudVision Portal bug revealed, plus evidence it's been used
You know the drill: face-palm, download, patch, grumble about state of security, relax
Arista customers: if you're running a version of CloudVision Portal (CVP) older than 2016.1.2.1, get an update or risk getting p0wned.
According to the company's terse security advisory, "This vulnerability allows a potential attacker with access to the management plane to gain access to the internal configuration mechanisms of CVP and take over the CVP instance."
There's evidence that attackers have worked out how to exploit it, because the company also gives an example of a logfile if the system's been attacked.
"The following log message in the access.log file in
/var/log/nginx indicates that this vulnerability was exploited to gain access to the CVP system:"
[user@cvp15 nginx]# grep "system/console/bundles" access.log
"GET /web/system/console/bundle HTTP/1.1" 401 0 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" "-"
Customers need to upgrade all members of their CloudVision Portal clusters to the latest version. ®