CVE-2024-8000

Summary

On affected platforms running Arista EOS with 802.1X configured, certain conditions may occur where a dynamic ACL is received from the AAA server resulting in only the first line of the ACL being installed after an Accelerated Software Upgrade (ASU) restart.

Note: supplicants with pending captive-portal authentication during ASU would be impacted with this bug.

Affected Software

VendorProductVersion RangeStatus
Arista NetworksEOS4.32.0 <= 4.32.4Maffected
Arista NetworksEOS4.31.0 <= 4.31.5Maffected
Arista NetworksEOS4.30.0 <= 4.30.8Maffected

Weaknesses

  • CWE-1284: CWE-1284 Improper Validation of Specified Quantity in Input

Workarounds

The workaround is to re-authenticate each supplicant. This can be done by running the command “dot1x re-authenticate” on the interface post ASU. Alternatively, if the reauthentication timer is enabled, the ACL will be correctly reprogrammed once the timer has expired and re-authentication occurs.

switch(Ethernet 1)#dot1x re-authenticate

 

Alternatively, flapping the interface will trigger reauthentication of the supplicants and correct the ACL which is installed for each mac on that interface.

switch(Ethernet 1)#shut switch(Ethernet 1)#no shut

 

In both cases mentioned, we can verify that reauth has been triggered by checking the output of show logging to show the supplicant has been successfully authenticated and show ip access-lists to verify the ACL is installed correctly.

switch(Ethernet 1)#show logging Aug 24 07:12:05 switch Dot1x: DOT1X-6-SUPPLICANT_AUTHENTICATED: Supplicant with identity 00:01:02:03:04:05, MAC 0001.0203.0405 and dynamic VLAN None successfully authenticated on port Ethernet1.

switch#show ip access-lists Phone ACL bypass: disabled IP Access List 802.1x-3212953518000 [dynamic]         10 deny ip 10.1.0.0/16 20.1.0.0/16    20 permit ip from 11.0.0.0/8 to 12.0.0.0/8         30 permit tcp any any eq 80         40 permit tcp any any eq 443         50 deny ip host 192.168.1.100

        Total rules configured: 5

switch#show dot1x hosts mac 0001.203.0405 detail | json {     "supplicantMac": "00:01:02:03:04:05",     "identity": "user3",     "interface": "Ethernet3/47",     "authMethod": "EAPOL",     "authStage": "SUCCESS",     "fallback": "NONE",     "callingStationId": "00:01:02:03:04:05",     "reauthBehavior": "DO-NOT-RE-AUTH",     "reauthInterval": 0,     "cacheConfTime": 0,     "vlanId": "202",     "accountingSessionId": "",     "captivePortal": "",     "captivePortalSource": "",     "aristaWebAuth": "",     "supplicantClass": "",     "filterId": "",     "framedIpAddress": "0.0.0.0",     "framedIpAddrSource": "sourceNone",     "nasFilterRules": [         "deny in ip from 10.1.0.0/16 to 20.1.0.0/16",         "permit in ip from 11.0.0.0/8 to 12.0.0.0/8",         "permit tcp any any eq 80",         "permit tcp any any eq 443",         “deny ip host 192.168.1.100"     ],     "sessionTimeout": 0,     "terminationAction": "",     "tunnelPrivateGroupId": "",     "aristaPeriodicIdentity": "",     "cachedAuthAtLinkDown": false,     "reauthTimeoutSeen": false,     "sessionCached": false,     "detail_": true }

In the above example the supplicant has been re-authenticated and the nasFilterRules shows 5 rules, as before.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References