CVE-2024-6858

Summary

In Arista’s EOS when in 802.1X mode, multi-auth unauthenticated hosts might be allowed access to a switch port if there exists an EAPOL capable device in the fallback VLAN.

Affected Software

VendorProductVersion RangeStatus
Arista NetworksEOS4.31.0 <= 4.31.1Faffected
Arista NetworksEOS4.30.0 <= 4.30.5Maffected
Arista NetworksEOS4.29.0 <= 4.29.7Maffected
Arista NetworksEOS4.28.10 <= 4.28.10.1Maffected

Weaknesses

  • CWE-1287: CWE-1287 Improper validation of specified type of input

Workarounds

This vulnerability arises when there is an EAPOL supplicant in any of the fallback VLAN’s ( i.e. auth-fail, unresponsive VLAN ). If only unauthenticated EAPOL supplicants are expected the admin can change dot1x host-mode to single-host as indicated below.

switch(config-if-et1)#dot1x host-mode single-host

  • Dot1x Host Mode

Single Host Mode: Please note when once the 802.1X supplicant is authenticated on the port, ONLY the traffic coming from the supplicant's MAC is allowed through the port.

Multi-Host Mode: Once the 802.1X supplicant is authenticated on the port, traffic coming from ANY source MAC is allowed through the port.

Multi-Host authenticated Mode: Multiple 802.1X supplicants can be allowed and ONLY the traffic coming from all authenticated supplicant’s MAC is allowed through the port.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References