CVE-2024-27891
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports. This can cause outgoing packets to incorrectly be allowed or denied.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Arista Networks | EOS | 4.32.0 <= 4.32.0.1F | affected |
| Arista Networks | EOS | 4.31.0 <= 4.31.2F | affected |
| Arista Networks | EOS | 4.30.0 <= 4.30.6M | affected |
| Arista Networks | EOS | 4.29.0 <= 4.29.7M | affected |
| Arista Networks | EOS | 4.28.0 <= 4.28.10.1M | affected |
| Arista Networks | EOS | 4.27.2F < 4.28.0 | affected |
Weaknesses
- CWE-284: CWE-284 Improper Access Control
Workarounds
The workaround is to disable MACsec on interfaces with outbound packet ACLs, or to use inbound packet ACLs where possible. Note that ingress ACLs might need to be applied to a different set of interfaces or to other devices in the network.
switch#configure switch(config)#interface Ethernet1 switch(config-if-Et1)#no mac security profile
! or remove/replace the out ACL
! Note that you may wish to apply in ACLs to a different set of
! interfaces than out ACLs were applied to.
switch#configure switch(config)#interface Ethernet1 switch(config-if-Et1)#mac access-group <ACL name> in switch(config-if-Et1)#ip access-group <ACL name> in switch(config-if-Et1)#ipv6 access-group <ACL name> in switch(config-if-Et1)#no mac access-group out switch(config-if-Et1)#no ip access-group out switch(config-if-Et1)#no ipv6 access-group out
For more information about ACLs see EOS User Manual: ACLs and Route Maps https://www.arista.com/en/um-eos/eos-acls-and-route-maps .
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.