CVE-2024-27892

Summary

Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch.

Affected Software

VendorProductVersion RangeStatus
Arista NetworksEOS4.31.0 <= 4.31.2Faffected
Arista NetworksEOS4.30.0 <= 4.30.5Maffected
Arista NetworksEOS4.29.0 <= 4.29.7Maffected
Arista NetworksEOS4.28.0 <= 4.28.10Maffected
Arista NetworksEOS4.27.0 <= 4.27.8Maffected
Arista NetworksEOS4.26.0 <= 4.26.9Maffected
Arista NetworksEOS4.25.0 <= 4.25.10Maffected
Arista NetworksEOS4.24.0 <= 4.24.11Maffected

Weaknesses

  • CWE-306: CWE-306 Missing Authentication for Critical Function

Workarounds

The workaround is to disable gNMI Set requests. This can be done by applying per RPC authorization and ensuring no user is authorized to run the OpenConfig.Set command.

switch(config-gnmi-transport-default)#show management api gnmi transport grpc default authorization requests

Alternatively, TLS can be disabled:

switch(config-gnmi-transport-default)#no ssl profile

Alternatively, the OpenConfig agent can be disabled entirely:

switch(config-gnmi-transport-default)#no management api gnmi

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References