CVE-2021-28506
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Summary
An issue has recently been discovered in Arista EOS where certain gNOI APIs incorrectly skip authorization and authentication which could potentially allow a factory reset of the device.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Arista Networks | EOS | 4.26.2F <= 4.26.0 | affected |
| Arista Networks | EOS | 4.25.5.1M <= 4.25.5 | affected |
| Arista Networks | EOS | 4.25.4M <= 4.25.4 | affected |
| Arista Networks | EOS | 4.25.3 <= 4.25.0 | affected |
| Arista Networks | EOS | 4.24.7M <= 4.24.2F | affected |
Weaknesses
- CWE-285: CWE-285 Improper Authorization
Workarounds
No mitigation options available To mitigate CVE-2021-28506 with the continued use of the affected agents, a hotfix employing a proxy service can be deployed. The proxy is configured behind the gNMI/gNOI or RESTCONF server. The hotfix can be downloaded at https://www.arista.com/en/support/advisories-notices/sa-download/?sa=71-SecurityAdvisory0071Hotfix.i386.swix for 32 bit systems and https://www.arista.com/en/support/advisories-notices/sa-download/?sa=71-SecurityAdvisory0071Hotfix.x86_64.swix for 64 bit systems.
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.