CVE-2023-24547 is a medium-severity vulnerability affecting Arista Networks MOS (Modular Operating System), specifically version 0.13.0. The vulnerability is classified under CWE-212, which pertains to the storage of sensitive information in an insecure manner. In this case, the issue arises from the handling of BGP (Border Gateway Protocol) passwords. When a BGP password is configured on affected Arista MOS platforms, the password is logged in clear text within local device logs and potentially in remote logging servers if logging is configured accordingly. Additionally, the password appears in clear text within the device's running configuration. This exposure allows any authenticated user with access to the device logs or configuration to retrieve the BGP password in plain text. The CVSS v3.1 base score is 5.9, indicating a medium severity level. The vector indicates that the attack vector is network-based (AV:N), requires high attack complexity (AC:H), requires privileges (PR:H), no user interaction (UI:N), and impacts integrity and availability but not confidentiality (C:N/I:H/A:H). Although confidentiality is marked as not impacted in the CVSS vector, the description clearly states that the password is exposed in clear text, which is a confidentiality concern; this discrepancy may be due to the assumption that only authenticated users can access these logs. No known exploits are reported in the wild, and no patches are currently linked, suggesting that mitigation may require configuration changes or vendor updates. The vulnerability could allow an attacker with authenticated access to escalate privileges or disrupt network operations by leveraging the exposed BGP password to manipulate routing configurations or cause denial of service.

For European organizations, especially those operating critical network infrastructure or large-scale data centers using Arista MOS devices, this vulnerability poses a significant risk. Exposure of BGP passwords can lead to unauthorized manipulation of routing protocols, potentially causing traffic interception, rerouting, or denial of service. This can disrupt business operations, impact service availability, and lead to data integrity issues. Given the importance of BGP in internet and enterprise network routing, exploitation could affect ISPs, cloud providers, financial institutions, and large enterprises across Europe. The fact that passwords are stored in clear text in logs and configurations increases the risk of insider threats or lateral movement by attackers who have gained authenticated access. The medium CVSS score reflects the requirement for authenticated access and high attack complexity, but the potential impact on network integrity and availability is considerable. Organizations handling sensitive or regulated data (e.g., GDPR-bound entities) may face compliance risks if such credentials are exposed or misused.

1. Immediate review and restriction of access controls to device logs and running configurations to ensure only highly trusted personnel have authenticated access. 2. Implement strict logging policies to avoid forwarding sensitive logs to remote servers unless encrypted and access-controlled. 3. Regularly audit device configurations and logs for presence of clear text passwords and remove or mask them where possible. 4. Engage with Arista Networks support to obtain patches or firmware updates addressing this vulnerability as they become available. 5. Consider rotating BGP passwords after remediation to invalidate any potentially exposed credentials. 6. Employ network segmentation and multi-factor authentication for device management interfaces to reduce risk of unauthorized authenticated access. 7. Monitor network traffic for anomalous BGP activity that could indicate exploitation attempts. 8. Use configuration management tools that avoid storing or displaying passwords in clear text in running configurations. 9. Educate network administrators about the risks of storing sensitive information in logs and configurations and enforce secure operational procedures.