CVE-2024-8000
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
On affected platforms running Arista EOS with 802.1X configured, certain conditions may occur where a dynamic ACL is received from the AAA server resulting in only the first line of the ACL being installed after an Accelerated Software Upgrade (ASU) restart.
Note: supplicants with pending captive-portal authentication during ASU would be impacted with this bug.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Arista Networks | EOS | 4.32.0 <= 4.32.4M | affected |
| Arista Networks | EOS | 4.31.0 <= 4.31.5M | affected |
| Arista Networks | EOS | 4.30.0 <= 4.30.8M | affected |
Weaknesses
- CWE-1284: CWE-1284 Improper Validation of Specified Quantity in Input
Workarounds
The workaround is to re-authenticate each supplicant. This can be done by running the command “dot1x re-authenticate” on the interface post ASU. Alternatively, if the reauthentication timer is enabled, the ACL will be correctly reprogrammed once the timer has expired and re-authentication occurs.
switch(Ethernet 1)#dot1x re-authenticate
Alternatively, flapping the interface will trigger reauthentication of the supplicants and correct the ACL which is installed for each mac on that interface.
switch(Ethernet 1)#shut switch(Ethernet 1)#no shut
In both cases mentioned, we can verify that reauth has been triggered by checking the output of show logging to show the supplicant has been successfully authenticated and show ip access-lists to verify the ACL is installed correctly.
switch(Ethernet 1)#show logging Aug 24 07:12:05 switch Dot1x: DOT1X-6-SUPPLICANT_AUTHENTICATED: Supplicant with identity 00:01:02:03:04:05, MAC 0001.0203.0405 and dynamic VLAN None successfully authenticated on port Ethernet1.
switch#show ip access-lists Phone ACL bypass: disabled IP Access List 802.1x-3212953518000 [dynamic] 10 deny ip 10.1.0.0/16 20.1.0.0/16 20 permit ip from 11.0.0.0/8 to 12.0.0.0/8 30 permit tcp any any eq 80 40 permit tcp any any eq 443 50 deny ip host 192.168.1.100
Total rules configured: 5
switch#show dot1x hosts mac 0001.203.0405 detail | json { "supplicantMac": "00:01:02:03:04:05", "identity": "user3", "interface": "Ethernet3/47", "authMethod": "EAPOL", "authStage": "SUCCESS", "fallback": "NONE", "callingStationId": "00:01:02:03:04:05", "reauthBehavior": "DO-NOT-RE-AUTH", "reauthInterval": 0, "cacheConfTime": 0, "vlanId": "202", "accountingSessionId": "", "captivePortal": "", "captivePortalSource": "", "aristaWebAuth": "", "supplicantClass": "", "filterId": "", "framedIpAddress": "0.0.0.0", "framedIpAddrSource": "sourceNone", "nasFilterRules": [ "deny in ip from 10.1.0.0/16 to 20.1.0.0/16", "permit in ip from 11.0.0.0/8 to 12.0.0.0/8", "permit tcp any any eq 80", "permit tcp any any eq 443", “deny ip host 192.168.1.100" ], "sessionTimeout": 0, "terminationAction": "", "tunnelPrivateGroupId": "", "aristaPeriodicIdentity": "", "cachedAuthAtLinkDown": false, "reauthTimeoutSeen": false, "sessionCached": false, "detail_": true }
In the above example the supplicant has been re-authenticated and the nasFilterRules shows 5 rules, as before.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.