CVE-2024-27891

Summary

On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports. This can cause outgoing packets to incorrectly be allowed or denied.

Affected Software

VendorProductVersion RangeStatus
Arista NetworksEOS4.32.0 <= 4.32.0.1Faffected
Arista NetworksEOS4.31.0 <= 4.31.2Faffected
Arista NetworksEOS4.30.0 <= 4.30.6Maffected
Arista NetworksEOS4.29.0 <= 4.29.7Maffected
Arista NetworksEOS4.28.0 <= 4.28.10.1Maffected
Arista NetworksEOS4.27.2F < 4.28.0affected

Weaknesses

  • CWE-284: CWE-284 Improper Access Control

Workarounds

The workaround is to disable MACsec on interfaces with outbound packet ACLs, or to use inbound packet ACLs where possible. Note that ingress ACLs might need to be applied to a different set of interfaces or to other devices in the network.

switch#configure switch(config)#interface Ethernet1 switch(config-if-Et1)#no mac security profile

! or remove/replace the out ACL ! Note that you may wish to apply in ACLs to a different set of ! interfaces than out ACLs were applied to.

switch#configure switch(config)#interface Ethernet1 switch(config-if-Et1)#mac access-group <ACL name> in switch(config-if-Et1)#ip access-group <ACL name> in switch(config-if-Et1)#ipv6 access-group <ACL name> in switch(config-if-Et1)#no mac access-group out switch(config-if-Et1)#no ip access-group out switch(config-if-Et1)#no ipv6 access-group out

For more information about ACLs see  EOS User Manual: ACLs and Route Maps https://www.arista.com/en/um-eos/eos-acls-and-route-maps .

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References