CVE-2021-28506

Summary

An issue has recently been discovered in Arista EOS where certain gNOI APIs incorrectly skip authorization and authentication which could potentially allow a factory reset of the device.

Affected Software

VendorProductVersion RangeStatus
Arista NetworksEOS4.26.2F <= 4.26.0affected
Arista NetworksEOS4.25.5.1M <= 4.25.5affected
Arista NetworksEOS4.25.4M <= 4.25.4affected
Arista NetworksEOS4.25.3 <= 4.25.0affected
Arista NetworksEOS4.24.7M <= 4.24.2Faffected

Weaknesses

  • CWE-285: CWE-285 Improper Authorization

Workarounds

No mitigation options available To mitigate CVE-2021-28506 with the continued use of the affected agents, a hotfix employing a proxy service can be deployed. The proxy is configured behind the gNMI/gNOI or RESTCONF server. The hotfix can be downloaded at https://www.arista.com/en/support/advisories-notices/sa-download/?sa=71-SecurityAdvisory0071Hotfix.i386.swix for 32 bit systems and https://www.arista.com/en/support/advisories-notices/sa-download/?sa=71-SecurityAdvisory0071Hotfix.x86_64.swix for 64 bit systems.

ADP Enrichment

CVE Program Container

Additional References

References