CVE-2021-28503

Summary

The impact of this vulnerability is that Arista's EOS eAPI may skip re-evaluating user credentials when certificate based authentication is used, which allows remote attackers to access the device via eAPI.

Affected Software

VendorProductVersion RangeStatus
Arista NetworksArista EOSEOS-4.23 < EOS-4.23.10affected
Arista NetworksArista EOSEOS-4.24 < EOS-4.24.8affected
Arista NetworksArista EOSEOS-4.25 < EOS-4.25.6affected
Arista NetworksArista EOSEOS-4.26 < EOS-4.26.3affected

Weaknesses

  • CWE-305: CWE-305 Authentication Bypass by Primary Weakness

Workarounds

Disallowing user certificate authentication via eAPI can be used to mitigate the vulnerability.

switch(config)#management security switch(config-mgmt-security)#ssl profile profileEAPI switch(config-mgmt-sec-ssl-profile-profileEAPI)#no trust certificate user.cert switch(config-mgmt-sec-ssl-profile-profileEAPI)#exit

ADP Enrichment

CVE Program Container

Additional References

References