CVE-2024-6858
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
In Arista’s EOS when in 802.1X mode, multi-auth unauthenticated hosts might be allowed access to a switch port if there exists an EAPOL capable device in the fallback VLAN.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Arista Networks | EOS | 4.31.0 <= 4.31.1F | affected |
| Arista Networks | EOS | 4.30.0 <= 4.30.5M | affected |
| Arista Networks | EOS | 4.29.0 <= 4.29.7M | affected |
| Arista Networks | EOS | 4.28.10 <= 4.28.10.1M | affected |
Weaknesses
- CWE-1287: CWE-1287 Improper validation of specified type of input
Workarounds
This vulnerability arises when there is an EAPOL supplicant in any of the fallback VLAN’s ( i.e. auth-fail, unresponsive VLAN ). If only unauthenticated EAPOL supplicants are expected the admin can change dot1x host-mode to single-host as indicated below.
switch(config-if-et1)#dot1x host-mode single-host
- Dot1x Host Mode
Single Host Mode: Please note when once the 802.1X supplicant is authenticated on the port, ONLY the traffic coming from the supplicant's MAC is allowed through the port.
Multi-Host Mode: Once the 802.1X supplicant is authenticated on the port, traffic coming from ANY source MAC is allowed through the port.
Multi-Host authenticated Mode: Multiple 802.1X supplicants can be allowed and ONLY the traffic coming from all authenticated supplicant’s MAC is allowed through the port.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.