CVE-2021-28504

Summary

On Arista Strata family products which have “TCAM profile” feature enabled when Port IPv4 access-list has a rule which matches on “vxlan” as protocol then that rule and subsequent rules ( rules declared after it in ACL ) do not match on IP protocol field as expected.

Affected Software

VendorProductVersion RangeStatus
Arista NetworksEOS4.26.3F <= 4.26.0affected
Arista NetworksEOS4.27.0F <= 4.27.0affected

Weaknesses

  • CWE-284: CWE-284 Improper Access Control

Workarounds

Replace "vxlan" IP protocol match with match on IP protocol "udp" and Layer 4 destination port for VxLAN encapsulated packets i.e 4789. If VXLAN L4 destination port number is not the default 4789 then use the configured L4 destination port number.

ADP Enrichment

CVE Program Container

Additional References

References