CVE-2023-3646: 
NixOS vulnerability analysis and mitigation

CVE-2023-3646 affects Arista EOS platforms with mirroring to multiple destinations configured. The vulnerability was discovered by a customer and was disclosed on August 23, 2023. The affected systems include Arista EOS versions 4.28.2F through 4.28.5.1M and 4.29.1F and below releases, specifically impacting the 7280R3 Series, 7289R3 Series, 7500R3 Series, and 7800R3 Series platforms (Vendor Advisory).

The vulnerability is classified as an out-of-bounds read (CWE-125) with a CVSSv3.1 Base Score of 5.9 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). The issue is tracked by BUG829136 and requires the system to be impacted by BUG765111, a non-CVE known issue. For the vulnerability to be exploitable, mirroring to multiple destinations must be configured with mirror destination being ethernet port (Vendor Advisory).

When exploited, this vulnerability can trigger a kernel panic and cause system reload. The impact is evidenced by specific kernel messages appearing in the 'show reload cause' output or the kernelcrash log, including NULL pointer dereference errors and subsequent system restart (Vendor Advisory).

As a temporary mitigation, Arista recommends removing any mirroring configuration. For permanent resolution, users should upgrade to remediated software versions: 4.28.6M and later releases in the 4.28.x train, or 4.29.2F and later releases in the 4.29.x train. Additionally, hotfixes are available for specific affected versions, though installation may result in 5-20 minutes of outage depending on the number of active ports (Vendor Advisory).