CVE-2025-1259
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Summary
On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This issue can result in users retrieving data that should not have been available
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Arista Networks | EOS | 4.33.0 <= 4.33.1 | affected |
| Arista Networks | EOS | 4.32.0 <= 4.32.3 | affected |
| Arista Networks | EOS | 4.31.0 <= 4.31.5 | affected |
| Arista Networks | EOS | 4.30.0 <= 4.30.8 | affected |
| Arista Networks | EOS | 4.29.0 <= 4.29.9 | affected |
| Arista Networks | EOS | 4.28.0 <= 4.28.12 | affected |
Weaknesses
- CWE-284: CWE-284
Workarounds
For releases with gNSI Authz (EOS 4.31.0F and later releases), the gNOI RPC’s can be blocked using gNSI Authz.
First enable gNSI Authz service by adding the following config:
switch(config)#management api gnsi switch(config-mgmt-api-gnsi)#service authz (config-mgmt-api-gnsi)#transport gnmi [NAME]
Where [NAME] is the name of the running gNMI transport which gNSI will run on. Adding this config will cause the named gNMI transport to reload.
Next update the authz policy to block access to the TransferToRemote RPC. This can be done directly on the system by updating the Authz policy file and waiting at least 10 seconds for OpenConfig to reload the changes. Note this will replace any existing authz policies located at /persist/sys/gnsi/authz/policy.json
For CVE-2025-1259 the following CLI command (highlighted in yellow following the switch prompt) can be run which will disable all gNOI Get RPC’s.
switch#bash timeout 100 echo "{"name":"block gNOI GET RPC's policy","allow_rules":[{"name":"allow_all"}],"deny_rules":[{"name":"no-gnoi-get","request":{"paths":["/gnoi.packet_link_qualification.LinkQualification/List","/gnoi.certificate.CertificateManagement/GetCertificates","/gnoi.os.OS/Verify","/gnoi.healthz.Healthz/Get","/gnoi.healthz.Healthz/List","/gnoi.system.System/RebootStatus","/gnmi.gNMI/Subscribe","/gnoi.file.File/Stat","/gnoi.system.System/Traceroute","/gnoi.packet_link_qualification.LinkQualification/Get","/gnoi.system.System/Ping","/gnoi.file.File/Get","/gnsi.authz.v1.Authz/Probe","/gnsi.credentialz.v1.Credentialz/GetPublicKeys","/gnsi.pathz.v1.Pathz/Probe","/gnoi.healthz.Healthz/Acknowledge","/gnsi.certz.v1.Certz/CanGenerateCSR","/gnmi.gNMI/Get","/gnoi.certificate.CertificateManagement/CanGenerateCSR","/gnoi.healthz.Healthz/Artifact","/gnsi.authz.v1.Authz/Get","/gnoi.system.System/Time","/gnsi.pathz.v1.Pathz/Get","/gnoi.packet_link_qualification.LinkQualification/Capabilities","/gnsi.acctz.v1.AcctzStream/RecordSubscribe","/gnsi.credentialz.v1.Credentialz/CanGenerateKey","/gnoi.healthz.Healthz/Check","/gnsi.certz.v1.Certz/GetProfileList"]}}]}" | sudo tee /persist/sys/gnsi/authz/policy.json && sleep 11
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.