While the steps listed above resolve the issue, the recommended long term solution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. There are two possible solutions: Upgrade the Streaming Telemetry Agent Customers can upgrade the Streaming Telemetry Agent to a fixed version, following the directions in https://arista.my.site.com/AristaCommunity/s/article/terminattr-upgrade-downgrade. Fixes are available in the following supported release trains: TerminAttr 1.25.0 and later Terminattr versions Users of 1.24.X and 1.23.X TerminAttr releases should upgrade to TerminAttr 1.25.0 or later. TerminAttr 1.22.2 and later version in the TerminAttr 1.22.X train TerminAttr 1.19.6 and later versions in the TerminAttr 1.19.X train

Upgrade EOS Customers can upgrade to a version of EOS which contains a fixed version of the Streaming Telemetry Agent within the EOS image, as documented in https://www.arista.com/en/um-eos/eos-upgradedowngrade-overview: EOS 4.29.2F and later releases, which contains TerminAttr 1.25.0 or a more recent version EOS 4.28.6M and later releases in the 4.28.X train, which contains TerminAttr 1.22.2 or a more recent version EOS 4.27.9M and later releases in the 4.27.X train, which contains TerminAttr 1.19.6 or a more recent version EOS 4.26.10M and later releases in the 4.26.X train, which contains TerminAttr 1.19.6 or a more recent version

In order to be vulnerable to CVE-2023-24512 the following conditions must be all be met: A vulnerable version of the Streaming Telemetry Agent must be installed on the switch. The version can be verified with the following commands: #show version detail | grep TerminAttr-core TerminAttr-core v1.13.3 1 In the above example, TerminAttr 1.13.3 is installed. The agent must be running on the switch. This can be verified as follows on the switch: switch# show daemon TerminAttr Process: TerminAttr (running with PID 2430) The Streaming Telemetry Agent must be configured to allow external connections using gRPC. This can be verified by the presence of the -grpcaddr option: switch# daemon TerminAttr show active daemon TerminAttr exec /usr/bin/TerminAttr -grpcaddr=... <other options...>

The streaming telemetry agent can be configured in gRPC read-only mode by specifying -grpcreadonly as part of its configuration. For instance as follows: switch# daemon TerminAttr exec /usr/bin/TerminAttr -grpcreadonly -grpcaddr=... <other options...> no shutdown If TerminAttr is running, it must be restarted for the configuration to take effect. This can be done as follows: switch# daemon TerminAttr shutdown wait-for-warmup no shutdown