3.6 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:S/C:P/I:P/A:N
6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
32.3%
Revision | Date | Changes |
---|---|---|
1.1 | May 27th 2022 | Update the CVE impact of Octa |
1.0 | May 25th 2022 | Initial release |
CVE-2021-28508
CVE-2021-28509
This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols.
The impact of this vulnerability is that, in certain conditions, TerminAttr or Octa might leak IPsec (CVE-2021-28508) and MACsec (CVE-2021-28509) sensitive data in clear text to CloudVisions’s authorized users or authorized gNMI clients. The leaked data could allow IPsec and MACsec traffic to be decrypted or modified.
This issue was discovered internally and Arista is not aware of any malicious uses of this issue in customer networks.
EOS versions (When Octa is in use on the device) :
TerminAttr versions:
EOS versions (When Octa is in use on the device) :
TerminAttr versions:
All EOS-based platforms that support IPsec or MACsec with the versions identified above are affected with TerminAttr or Octa enabled on the device.
Arista EOS-based products that support IPsec:
Arista EOS-based products that support MACsec:
The following products are not affected:
Arista EOS-based products:
Arista Wireless Access Points
CloudVision WiFi, virtual appliance or physical appliance
CloudVision WiFi cloud service delivery
Arista 7130 Systems running MOS
Arista Converged Cloud Fabric and DANZ Monitoring Fabric (Formerly Big Switch Nodes for BCF and BMF)
Awake Security Platform
The prerequisite for both CVEs is that TerminAttr or Octa is enabled on the device
TerminAttr is enabled on the device:
daemon TerminAttr
exec /usr/bin/TerminAttr ...
no shutdown
Octa is enabled on the device:
management api gnmi
provider eos-native
IPsec is configured on device:
ip security
profile Arista
ike-policy ikedefault
sa-policy sadefault
connection start
shared-key 7 047A190F1C354D
mode transport
MACsec is configured on device:
mac security
profile Arista
key 0abc1234 7 06070E234E4D0A48544540585F507E
key 0def5678 7 09484A0C1C0311475E5A527D7C7C70 fallback
interface Ethernet6/1
mac security profile Arista
When TerminAttr is used directly on the device to stream, check if TerminAttr is running with the affected version mentioned above.
To check the installed TerminAttr version on the system, use the following command:
#show version detail | grep TerminAttr-core
TerminAttr-core v1.13.3 1
To check if TerminAttr is running, use the following command and make sure there’s a PID allocated to the process:
#show daemon TerminAttr
Process: TerminAttr (running with PID 2430)
When Octa is used on the device to stream for OpenConfig modeled data and “eos-native” data over the gNMI, check if Octa is enabled on the device.
To check if Octa is running on the device, use the following show command to check Octa status:
#show management api gnmi
Octa: enabled
Enabled: Yes
Server: running on port 6030, in default VRF
SSL Profile: none
QoS DSCP: none
The following configuration changes may be made in order to mitigate the exploitation of the listed vulnerability.
On the affected versions, the vulnerabilities can be mitigated by disabling the streaming agent in use on the device.
daemon TerminAttr
shutdown
management api gnmi
no provider eos-native
The recommended resolution is to upgrade to a remediated software version at your earliest convenience.
The vulnerability is fixed in the following versions:
EOS versions: (When Octa is in use on the device) :
TerminAttr versions:
The vulnerability is fixed in the following versions:
EOS versions (When Octa is in use on the device) :
TerminAttr versions:
As mentioned above, TerminAttr has been bundled with every EOS release from 4.17.0F and above and it’s also available as a SWIX extension that can be used to upgrade TerminAttr to the latest version independently. For instructions on upgrading TerminAttr to the fixed release from CLI on EOS-based products, please refer to the article TerminAttr – Upgrade & Downgrade.
An EOS upgrade is required only when Octa is in use.
No hotfix is available for these CVEs.
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502 ; 866-476-0000
Contact information needed to open a new service request may be found at:
https://www.arista.com/en/support/customer-support
3.6 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:S/C:P/I:P/A:N
6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
32.3%