CVE-2021-28503
7.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Summary
The impact of this vulnerability is that Arista's EOS eAPI may skip re-evaluating user credentials when certificate based authentication is used, which allows remote attackers to access the device via eAPI.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Arista Networks | Arista EOS | EOS-4.23 < EOS-4.23.10 | affected |
| Arista Networks | Arista EOS | EOS-4.24 < EOS-4.24.8 | affected |
| Arista Networks | Arista EOS | EOS-4.25 < EOS-4.25.6 | affected |
| Arista Networks | Arista EOS | EOS-4.26 < EOS-4.26.3 | affected |
Weaknesses
- CWE-305: CWE-305 Authentication Bypass by Primary Weakness
Workarounds
Disallowing user certificate authentication via eAPI can be used to mitigate the vulnerability.
switch(config)#management security switch(config-mgmt-security)#ssl profile profileEAPI switch(config-mgmt-sec-ssl-profile-profileEAPI)#no trust certificate user.cert switch(config-mgmt-sec-ssl-profile-profileEAPI)#exit
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.