First published: Tue Jan 11 2022(Updated: )
An issue has recently been discovered in Arista EOS where certain gNOI APIs incorrectly skip authorization and authentication which could potentially allow a factory reset of the device.
Credit: psirt@arista.com
Affected Software | Affected Version | How to fix |
---|---|---|
Arista EOS | >=4.24.0<=4.24.7m | |
Arista EOS | >=4.25.0<=4.25.3 | |
Arista EOS | >=4.25.4<=4.25.4m | |
Arista EOS | >=4.25.5<=4.25.5.1m | |
Arista EOS | >=4.26.0<=4.26.2f |
The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release. CVE-2021-28506 has been fixed in the following releases: 4.26.3M and later releases in the 4.26.x train 4.25.6M and later releases in the 4.25.x train 4.25.4.1M and later releases in the 4.25.4.x train 4.24.8M and later releases in the 4.24.x train
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue in Arista EOS is CVE-2021-28506.
The severity of CVE-2021-28506 is critical with a severity value of 9.1.
Versions 4.24.0 to 4.24.7m, 4.25.0 to 4.25.3, 4.25.4, 4.25.5 to 4.25.5.1m, and 4.26.0 to 4.26.2f of Arista EOS are affected by CVE-2021-28506.
CVE-2021-28506 could potentially allow a factory reset of the affected Arista EOS device.
Arista has released a security advisory (reference: https://www.arista.com/en/support/advisories-notices/security-advisories/13449-security-advisory-0071) with instructions on how to mitigate the vulnerability in Arista EOS.