Arista EOS Security Advisory: CVE-2020-5483/5484/5485/5486 RCE/Plaintext Password/API Bypass

### Critical Vulnerability Information #### Vulnerability Overview - **CVE-2020-5483**: Access to system shell and execution of arbitrary commands via CLI. - **CVE-2020-5484**: Passwords stored in plain text within configuration files. - **CVE-2020-5485**: Access to restricted users via API. - **CVE-2020-5486**: Bypass of image validation by specifying protocol upgrade. #### Affected Software - **Data Monitoring Fabric**: DMF R1.7 and earlier versions, UMF R3.5 and earlier versions, all versions of DMF R4.5 and earlier. - **Converged Cloud Fabric**: CCF 2.3.2 and all subsequent versions. - **Cloud Vision Appliance**: All versions of CVA 7.0.x. - **Multi-Cloud Director**: MCD 2.4.2 and all subsequent versions. #### Affected Platforms - **CloudVision Appliance (CVA)**: All models running CloudVision Appliance 7.0.x software. - **Device Collector Appliance (DCA)**: DCA 200 CV. - **Device Collector Appliance (DCA)**: DCA 250 CV. - **Device Collector Appliance (DCA)**: DCA 200 CV. - **Arista EOS-based products**: 710 Series, 7200R Series, 7280R Series, etc. - **Arista vEOS-based products**: vEOS Edge, vEOS Cloud, vEOS Lab, etc. #### Exploitation Requirements - **CVE-2020-5483**: Non-administrator users must be able to log in to the system. - **CVE-2020-5484**: Non-administrator users must be able to log in to the system. - **CVE-2020-5485**: Users must have REST API access. - **CVE-2020-5486**: Users must have REST API access. #### Indicators of Compromise - **CVE-2020-5483**: Log entries showing use of the `debug developer` command. - **CVE-2020-5484**: Plain-text passwords found in configuration files. - **CVE-2020-5485**: Logs indicating API access to restricted users. - **CVE-2020-5486**: Downloaded images that do not match published hash values. #### Mitigation Measures - **CVE-2020-5483**: Prohibit non-administrator users from logging in until upgraded version is installed. - **CVE-2020-5484**: Remove any controlled users until upgraded version is installed. - **CVE-2020-5485**: Prohibit non-administrator users from logging in until upgraded version is installed. - **CVE-2020-5486**: Ensure downloaded images match published hash values. #### Remediation - Upgrade to the recommended software version.

Goal Reached Thanks to every supporter — we hit 100%!

Arista EOS Security Advisory: CVE-2020-5483/5484/5485/5486 RCE/Plaintext Password/API Bypass