CVE-2025-0936
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
On affected platforms running Arista EOS with a gNMI transport enabled, running the gNOI File TransferToRemote RPC with credentials for a remote server may cause these remote-server credentials to be logged or accounted on the local EOS device or possibly on other remote accounting servers (i.e. TACACS, RADIUS, etc).
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Arista Networks | EOS | 4.33.0 <= 4.33.1 | affected |
| Arista Networks | EOS | 4.32.0 <= 4.32.3M | affected |
| Arista Networks | EOS | 4.31.0 <= 4.31.5M | affected |
| Arista Networks | EOS | 4.30.1F <= 4.30.9M | affected |
Weaknesses
- CWE-256: CWE-256
Workarounds
There are a number of possible workarounds:
Option 1 - disable accounting/logging for the OpenConfig transportFor example to disable accounting for transport named “default”:
switch(config)#management api gnmi switch(config-mgmt-api-gnmi)#transport grpc default switch(config-gnmi-transport-default)#no accounting requests
to disable logging for the OpenConfig agent, run:
switch(config)#no trace OpenConfig setting
Option 2 - disable the gNOI File service entirelyTo disable the gNOI File service, override the OCGNOIFileToggle, then restart OpenConfig to load the changes
switch#bash timeout 100 echo "OCGNOIFileToggle=0" >> /mnt/flash/toggle_override switch#agent OpenConfig terminate
Disabling the gNOI File service will mean that gNOI clients will no longer be able to call any gNOI File RPCs
Option 3 - block the TransferToRemote RPC using gNSI AuthzFor releases with gNSI Authz (EOS 4.31.0F and later releases), the TransferToRemote RPC can be blocked using gNSI Authz.
First enable gNSI Authz service by adding the following config:
switch(config)#management api gnsi switch(config-mgmt-api-gnsi)#service authz
Where [NAME] is the name of the running gNMI transport
Adding this config will cause the named gNMI transport to reload.
Next update the authz policy to block access to the TransferToRemote RPC. This can be done directly on the system by updating the Authz policy file and waiting at least 10 seconds for OpenConfig to reload the changes:
switch#bash timeout 100 echo "{"name":"block gNOI TransferToRemote policy","allow_rules":[{"name":"allow_all"}],"deny_rules":[{"name":"no-one-can-use-gnoi-transfer-to-remote","request":{"paths":["/gnoi.file.File/TransferToRemote"]}}]}" | sudo tee /persist/sys/gnsi/authz/policy.json && sleep 11
This will cause attempts to run the TransferToRemote RPC to fail with a “PermissionDenied” error code.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.