CVE-2021-28508

Summary

This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols. The impact of this vulnerability is that, in certain conditions, TerminAttr might leak IPsec sensitive data in clear text in CVP to other authorized users, which could cause IPsec traffic to be decrypted or modified by other authorized users on the device.

Affected Software

VendorProductVersion RangeStatus
Arista NetworksArista EOS4.23 <= 4.23.11affected
Arista NetworksArista EOS4.24 <= 4.24.9affected
Arista NetworksArista EOS4.25 <= 4.25.7affected
Arista NetworksArista EOS4.26 <= 4.26.5affected
Arista NetworksArista EOS4.27 <= 4.27.3affected
Arista NetworksArista TerminAttrv1.10 <= v1.10.10affected
Arista NetworksArista TerminAttrv1.16 <= v1.16.7affected
Arista NetworksArista TerminAttrv1.18 <= v1.18.1affected

Weaknesses

  • CWE-255: CWE-255 Credentials Management

Workarounds

On the affected versions, the vulnerabilities can be mitigated by disabling TerminAttr agent.

ADP Enrichment

CVE Program Container

Additional References

References