CVE-2025-1260

Summary

On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This issue can result in unexpected configuration/operations being applied to the switch.

Affected Software

VendorProductVersion RangeStatus
Arista NetworksEOS4.33.0 <= 4.33.1affected
Arista NetworksEOS4.32.0 <= 4.32.3affected
Arista NetworksEOS4.31.0 <= 4.31.5affected
Arista NetworksEOS4.30.0 <= 4.30.8affected
Arista NetworksEOS4.29.0 <= 4.29.9affected
Arista NetworksEOS4.28.0 <= 4.28.12affected

Weaknesses

  • CWE-284: CWE-284

Workarounds

For releases with gNSI Authz (EOS 4.31.0F and later releases), the gNOI RPC’s can be blocked using gNSI Authz.

First enable gNSI Authz service by adding the following config:

switch(config)#management api gnsi switch(config-mgmt-api-gnsi)#service authz (config-mgmt-api-gnsi)#transport gnmi [NAME]

 

Where [NAME] is the name of the running gNMI transport which gNSI will run on. Adding this config will cause the named gNMI transport to reload.

For CVE-2025-1260 the following CLI command (highlighted in yellow following the switch prompt) can be run which will disable all gNOI Set RPC’s.

switch#bash timeout 100 echo "{&#34;name&#34;:&#34;block gNOI SET RPC's policy&#34;,&#34;allow_rules&#34;:[{&#34;name&#34;:&#34;allow_all&#34;}],&#34;deny_rules&#34;:[{&#34;name&#34;:&#34;no-gnoi-set&#34;,&#34;request&#34;:{&#34;paths&#34;:[&#34;/gnoi.certificate.CertificateManagement/RevokeCertificates&#34;,&#34;/gnoi.os.OS/Activate&#34;,&#34;/gnoi.certificate.CertificateManagement/LoadCertificateAuthorityBundle&#34;,&#34;/gnoi.packet_link_qualification.LinkQualification/Create&#34;,&#34;/gnoi.system.System/Reboot&#34;,&#34;/gnsi.certz.v1.Certz/Rotate&#34;,&#34;/gnoi.system.System/SwitchControlProcessor&#34;,&#34;/gnoi.packet_link_qualification.LinkQualification/Delete&#34;,&#34;/gnsi.certz.v1.Certz/DeleteProfile&#34;,&#34;/gsii.v1.gSII/Modify&#34;,&#34;/gnoi.file.File/Put&#34;,&#34;/gnoi.system.System/SetPackage&#34;,&#34;/gnsi.pathz.v1.Pathz/Rotate&#34;,&#34;/gnmi.gNMI/Set&#34;,&#34;/gnoi.system.System/CancelReboot&#34;,&#34;/gnoi.system.System/KillProcess&#34;,&#34;/gnoi.file.File/TransferToRemote&#34;,&#34;/gnoi.os.OS/Install&#34;,&#34;/gnsi.authz.v1.Authz/Rotate&#34;,&#34;/gnoi.factory_reset.FactoryReset/Start&#34;,&#34;/gnsi.certz.v1.Certz/AddProfile&#34;,&#34;/gnsi.credentialz.v1.Credentialz/RotateAccountCredentials&#34;,&#34;/gnsi.credentialz.v1.Credentialz/RotateHostParameters&#34;,&#34;/gnoi.certificate.CertificateManagement/Rotate&#34;,&#34;/gnoi.certificate.CertificateManagement/Install&#34;,&#34;/gnoi.certificate.CertificateManagement/LoadCertificate&#34;,&#34;/gnoi.certificate.CertificateManagement/GenerateCSR&#34;,&#34;/gnoi.file.File/Remove&#34;]}}]}" | sudo tee /persist/sys/gnsi/authz/policy.json && sleep 11

 

Run the following CLI command can be ran which will disable all gNOI RPC’s.

switch#bash timeout 100 echo "{&#34;name&#34;:&#34;block gNOI RPCs policy&#34;,&#34;allow_rules&#34;:[{&#34;name&#34;:&#34;allow_all&#34;}],&#34;deny_rules&#34;:[{&#34;name&#34;:&#34;no-one-can-use-any-gnoi&#34;,&#34;request&#34;:{&#34;paths&#34;:[&#34;/gnoi.*&#34;]}}]}" | sudo tee /persist/sys/gnsi/authz/policy.json && sleep 11

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References