CVE-2023-5502

Summary

On affected platforms running Arista EOS with 802.1x authentication configured on the access/trunk ports, and routing enabled on the access VLAN of the ports, a malicious supplicant may be able to bypass the requirement to perform 802.1x authentication.

Affected Software

VendorProductVersion RangeStatus
Arista NetworksEOS4.31.0 <= 4.31.0Faffected
Arista NetworksEOS4.30.0 <= 4.30.4Maffected
Arista NetworksEOS4.29.0 <= 4.29.6Maffected
Arista NetworksEOS4.28.0 <= 4.28.8Maffected
Arista NetworksEOS4.27.0 <= 4.27.11Maffected
Arista NetworksEOS4.26.0 <= 4.26.11Maffected
Arista NetworksEOS4.25.0 <= 4.25.11Maffected
Arista NetworksEOS4.24.0 <= 4.24.11Maffected

Weaknesses

  • CWE-287: CWE-287 Improper Authentication

Workarounds

Mitigation of this vulnerability requires disabling dot1x. Dot1x can be disabled globally using the following command:

no dot1x system-auth-control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References