CVE-2025-1259

Summary

On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This issue can result in users retrieving data that should not have been available

Affected Software

VendorProductVersion RangeStatus
Arista NetworksEOS4.33.0 <= 4.33.1affected
Arista NetworksEOS4.32.0 <= 4.32.3affected
Arista NetworksEOS4.31.0 <= 4.31.5affected
Arista NetworksEOS4.30.0 <= 4.30.8affected
Arista NetworksEOS4.29.0 <= 4.29.9affected
Arista NetworksEOS4.28.0 <= 4.28.12affected

Weaknesses

  • CWE-284: CWE-284

Workarounds

For releases with gNSI Authz (EOS 4.31.0F and later releases), the gNOI RPC’s can be blocked using gNSI Authz.

First enable gNSI Authz service by adding the following config:

switch(config)#management api gnsi switch(config-mgmt-api-gnsi)#service authz (config-mgmt-api-gnsi)#transport gnmi [NAME]

 

Where [NAME] is the name of the running gNMI transport which gNSI will run on. Adding this config will cause the named gNMI transport to reload.

Next update the authz policy to block access to the TransferToRemote RPC. This can be done directly on the system by updating the Authz policy file and waiting at least 10 seconds for OpenConfig to reload the changes. Note this will replace any existing authz policies located at /persist/sys/gnsi/authz/policy.json

For CVE-2025-1259 the following CLI command (highlighted in yellow following the switch prompt) can be run which will disable all gNOI Get RPC’s.

switch#bash timeout 100 echo "{&#34;name&#34;:&#34;block gNOI GET RPC's policy&#34;,&#34;allow_rules&#34;:[{&#34;name&#34;:&#34;allow_all&#34;}],&#34;deny_rules&#34;:[{&#34;name&#34;:&#34;no-gnoi-get&#34;,&#34;request&#34;:{&#34;paths&#34;:[&#34;/gnoi.packet_link_qualification.LinkQualification/List&#34;,&#34;/gnoi.certificate.CertificateManagement/GetCertificates&#34;,&#34;/gnoi.os.OS/Verify&#34;,&#34;/gnoi.healthz.Healthz/Get&#34;,&#34;/gnoi.healthz.Healthz/List&#34;,&#34;/gnoi.system.System/RebootStatus&#34;,&#34;/gnmi.gNMI/Subscribe&#34;,&#34;/gnoi.file.File/Stat&#34;,&#34;/gnoi.system.System/Traceroute&#34;,&#34;/gnoi.packet_link_qualification.LinkQualification/Get&#34;,&#34;/gnoi.system.System/Ping&#34;,&#34;/gnoi.file.File/Get&#34;,&#34;/gnsi.authz.v1.Authz/Probe&#34;,&#34;/gnsi.credentialz.v1.Credentialz/GetPublicKeys&#34;,&#34;/gnsi.pathz.v1.Pathz/Probe&#34;,&#34;/gnoi.healthz.Healthz/Acknowledge&#34;,&#34;/gnsi.certz.v1.Certz/CanGenerateCSR&#34;,&#34;/gnmi.gNMI/Get&#34;,&#34;/gnoi.certificate.CertificateManagement/CanGenerateCSR&#34;,&#34;/gnoi.healthz.Healthz/Artifact&#34;,&#34;/gnsi.authz.v1.Authz/Get&#34;,&#34;/gnoi.system.System/Time&#34;,&#34;/gnsi.pathz.v1.Pathz/Get&#34;,&#34;/gnoi.packet_link_qualification.LinkQualification/Capabilities&#34;,&#34;/gnsi.acctz.v1.AcctzStream/RecordSubscribe&#34;,&#34;/gnsi.credentialz.v1.Credentialz/CanGenerateKey&#34;,&#34;/gnoi.healthz.Healthz/Check&#34;,&#34;/gnsi.certz.v1.Certz/GetProfileList&#34;]}}]}" | sudo tee /persist/sys/gnsi/authz/policy.json && sleep 11

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References