CVE-2025-1260
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Summary
On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This issue can result in unexpected configuration/operations being applied to the switch.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Arista Networks | EOS | 4.33.0 <= 4.33.1 | affected |
| Arista Networks | EOS | 4.32.0 <= 4.32.3 | affected |
| Arista Networks | EOS | 4.31.0 <= 4.31.5 | affected |
| Arista Networks | EOS | 4.30.0 <= 4.30.8 | affected |
| Arista Networks | EOS | 4.29.0 <= 4.29.9 | affected |
| Arista Networks | EOS | 4.28.0 <= 4.28.12 | affected |
Weaknesses
- CWE-284: CWE-284
Workarounds
For releases with gNSI Authz (EOS 4.31.0F and later releases), the gNOI RPC’s can be blocked using gNSI Authz.
First enable gNSI Authz service by adding the following config:
switch(config)#management api gnsi switch(config-mgmt-api-gnsi)#service authz (config-mgmt-api-gnsi)#transport gnmi [NAME]
Where [NAME] is the name of the running gNMI transport which gNSI will run on. Adding this config will cause the named gNMI transport to reload.
For CVE-2025-1260 the following CLI command (highlighted in yellow following the switch prompt) can be run which will disable all gNOI Set RPC’s.
switch#bash timeout 100 echo "{"name":"block gNOI SET RPC's policy","allow_rules":[{"name":"allow_all"}],"deny_rules":[{"name":"no-gnoi-set","request":{"paths":["/gnoi.certificate.CertificateManagement/RevokeCertificates","/gnoi.os.OS/Activate","/gnoi.certificate.CertificateManagement/LoadCertificateAuthorityBundle","/gnoi.packet_link_qualification.LinkQualification/Create","/gnoi.system.System/Reboot","/gnsi.certz.v1.Certz/Rotate","/gnoi.system.System/SwitchControlProcessor","/gnoi.packet_link_qualification.LinkQualification/Delete","/gnsi.certz.v1.Certz/DeleteProfile","/gsii.v1.gSII/Modify","/gnoi.file.File/Put","/gnoi.system.System/SetPackage","/gnsi.pathz.v1.Pathz/Rotate","/gnmi.gNMI/Set","/gnoi.system.System/CancelReboot","/gnoi.system.System/KillProcess","/gnoi.file.File/TransferToRemote","/gnoi.os.OS/Install","/gnsi.authz.v1.Authz/Rotate","/gnoi.factory_reset.FactoryReset/Start","/gnsi.certz.v1.Certz/AddProfile","/gnsi.credentialz.v1.Credentialz/RotateAccountCredentials","/gnsi.credentialz.v1.Credentialz/RotateHostParameters","/gnoi.certificate.CertificateManagement/Rotate","/gnoi.certificate.CertificateManagement/Install","/gnoi.certificate.CertificateManagement/LoadCertificate","/gnoi.certificate.CertificateManagement/GenerateCSR","/gnoi.file.File/Remove"]}}]}" | sudo tee /persist/sys/gnsi/authz/policy.json && sleep 11
Run the following CLI command can be ran which will disable all gNOI RPC’s.
switch#bash timeout 100 echo "{"name":"block gNOI RPCs policy","allow_rules":[{"name":"allow_all"}],"deny_rules":[{"name":"no-one-can-use-any-gnoi","request":{"paths":["/gnoi.*"]}}]}" | sudo tee /persist/sys/gnsi/authz/policy.json && sleep 11
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.