4.7 Medium
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
3.3 Low
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:A/AC:L/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
40.3%
Revision | Date | Changes |
---|---|---|
1.5 | September 28th 2023 | Update to include 4.29 to EOS Releases that resolve the CVE’s |
1.4 | January 11th 2023 | Update the fixed release info of NetVisor OS Software |
1.3 | October 24th 2022 | Update the fixed release info |
1.2 | October 7th 2022 | Update the mitigation configuration |
1.1 | September 29th 2022 | Update the fixed release info and required configuration |
1.0 | September 27th 2022 | Initial release |
CVE-2021-27853
CVE-2021-27854
CVE-2021-27861
CVE-2021-27862
This advisory documents the impact of 4 publicly disclosed vulnerabilities within Ethernet encapsulation protocols on Arista products. These issues affect multiple networking vendors and the coordination of this disclosure has been handled by IEEE. Affected Arista products include EOS systems, Wi-Fi Access Points and NetVisor OS Software. The affected software releases are listed below.
The issues involve how L2 network security controls can be bypassed using VLAN 0 stacking (hereby referred to as the “VLAN 0 header stack variant”) or 802.3 LLC headers with invalid length (hereby referred to as the “LLC Header Invalid Length Variant”). An attacker can send crafted packets through vulnerable devices to cause Denial-of-Service (DoS) or to perform a Man-in-the-Middle (MitM) attack against L2 reachable hosts in the network.
These issues are tracked via the following four CVEs:
As of the time of this publication, Arista is not aware of any malicious uses of this issue in customer networks.
EOS Versions
4.28.2F and older releases in the 4.28.x train
4.27.6M and older releases in the 4.27.x train
4.26.7M and older releases in the 4.26.x train
4.25.9M and older releases in the 4.25.x train
4.24.10M and older releases in the 4.24.x train
4.23.12M and older releases in the 4.23.x train
4.22.12M and older releases in the 4.22.x train
12.0.1-48 and older releases for the 12.0 train
11.0.1-49 and older releases for the 11.0 train
10.0.1-31 and older release for the 10.0 train
7.0.2 GA and older releases in the 7.x.x train
6.1.2 HF1 and older releases in the 6.x.x train (ONIE)
6.1.1 HF7 and older releases in the 6.x.x train (non-ONIE)
5.2.1 HF4 and older releases in the 5.x.x train
Wi-Fi Access Points
NOTE: Both a vulnerable network device and a vulnerable host networking stack must be present for the issues to be exploitable. Thus, in addition to network devices, it is strongly recommended to evaluate the exposure of the IP stack of connected hosts for a complete assessment of these vulnerabilities.
Platforms impacted by VLAN 0 Header Stack Variant
Arista EOS Based products
7010 and 7010X series
7020R series
7050X/X2/X3/X4 series
7060X/X2/X4 series
7150 series
7160 series
7170 series
710P series
720XP series
722XPM series
750X series
7250X series
7260X/X3 series
7280E/R/R2 series
7280R3 series
7300X/X3 series
7320X series
7358X4 series
7368X4 series
7388X5 series
7500E/R/R2 series
7500R3 series
7800R3 series
11ac wave-2 Access Point series (C100, C110, W118, C120, C130, O105 and their variants)
11ax (Wi-Fi6) Access Point series (C200, C230, O235, C250, C260, C360 and their variants)
AS5712 series
AS5812 series
AS5835 series
AS6712 series
AS7312 series
AS7316 series
AS7326 series
AS7712 series
AS7716 series
AS7726 series
AS7816 series
Freedom 9K series
NSU series
NRU01 series
NRU02 series
NRU03 series
S52xx series
S5048 series
S60xx series
S41xx series
S40xx series
Z9264 series
Z9100 series
AS5712 series
AS6712 series
AS7316 series
AS7716 series
S60xx series
S40xx series
Platforms impacted by LLC Header Invalid Length Variant
Arista EOS Based products
7010 and 7010X series
7050X/X2/X3/X4 series
7060X/X2/X4 series
7150 series
7160 series
7170 series
710P series
720XP series
722XPM series
750X series
7250X series
7260X/X3 series
7280R3 series
7300X/X3 series
7320X series
7358X4 series
7368X4 series
7388X5 series
7500R3 series
7800R3 series
11ac wave-2 Access Point series (C100, C110, W118, C120, C130, O105 and their variants)
11ax (Wi-Fi6) Access Point series (C200, C230, O235, C250, C260, C360 and their variants)
AS5712 series
AS5812 series
AS5835 series
AS6712 series
AS7312 series
AS7316 series
AS7326 series
AS7712 series
AS7716 series
AS7726 series
AS7816 series
Freedom 9K series
NSU series
NRU01 series
NRU02 series
NRU03 series
S52xx series
S5048 series
S60xx series
S41xx series
S40xx series
Z9432 series
Z9264 series
Z9100 series
AS5712 series
AS6712 series
AS7316 series
AS7716 series
S60xx series
S40xx series
Wi-Fi Access Points
The following product versions and platforms are not affected by any of the listed CVEs
The following products are not affected by LLC Variant of CVE-2021-27853 and CVE-2021-27861 but are still affected by the VLAN 0 Header Stack Variant
EOS Configuration
Any of the following L3 aware L2 security filtering features is in use:
ACLs configured on Ethernet ports, Port-Channels or VLANs
ip access-group <aclName> in
ipv6 access-group <aclName> in
IP Locking feature family
(config-if-EtX)# address locking ipv4
(config-if-EtX)# address locking ipv6
(config-if-EtX)# address locking ipv4 ipv6
in conjunction with
(config-address-locking)# dhcp server ipv4 <A.B.C.D>
(config-address-locking)# local-interface <interface>
and/or
(config-address-locking)# locked-address [ipv4|ipv6] enforcement disabled
ARP Inspection
ip arp inspection
Interface Traffic Policies
(config-if-EtX/Y)#traffic-policy input <traffic-policy-name>
Segment Security Policies
(config)#router segment-security
(config-router-seg-sec)#no shutdown
SSID Firewall rules matching L3 and L4 headers
Any of the following L3 aware L2 security filtering features is in use:
Security and QoS based vFlows configured on Ethernet ports, trunks, or VLANs
CLI> vflow-create name L3-vflow scope local src-ip 1.1.1.1/24 dst-ip 1.1.1.2/24 action drop
IPv6 RA Guard requires creation of a filter for addresses and prefixes to apply a security profile to RA messages
CLI> access-list-create name list1 scope local
CLI> access-list-ip-add name list1 ip fe80::640e:94ff:fe29:b4d0
CLI> ipv6security-raguard-create name ra1 device router access-list list1
CLI> ipv6security-raguard-port-add name ra1 ports 37
SSID Firewall rules matching L3 and L4 headers
There are no visible indicators of compromise.
The mitigations below are supported on all the EOS platforms (except the 7170 series) in the affected releases.
To mitigate the VLAN 0 header stack variant vulnerability, the following MAC ACL can be configured.
mac access-list Vlan0HeaderVariant
deny any any 0x8100
deny any any 0x88a8
permit any any
Whenever the switch is unable to resolve the final protocol ethertype of an Ethernet frame with a VLAN tag sequence, the final ethertype is determined to be one of the known VLAN tag ethertypes (Tag Protocol ID or TPID) 0x8100 or 0x88a8. The ‘Vlan0HeaderVariant’ ACL causes such frames to be discarded.
To mitigate the LLC header invalid length variant vulnerability, the following MAC ACL such as the sample below can be configured
mac access-list allowSpecificEtypes
permit any any ip
permit any any ipv6
permit any any arp
deny any any
The ‘allowSpecificEtypes’ ACL provides protection against both variants by ensuring that a switch is allowed to forward a packet only if it is successfully able to identify a higher layer protocol in use in the packet header behind a sequence of VLAN tags. This ACL functions as a permit list to allow known good ethertypes through and drops everything else. This means that all higher layer protocol ethertypes being used in a network have to be identified and included in the permit list to ensure connectivity for those protocols.
Note: The TPID ethertype values 0x8100 and 0x88a8 must not be included in the permit list. The switch will only identify the ethertype of a frame as one of these values only if it encounters a VLAN tag sequence that is long enough that it is unable to parse and derive a final ethertype.
Once a suitable ACL is constructed, it must be applied on all L2 switch ports connected to uncontrolled hosts.
(config)#interface etX/Y
(config-if-EtX/Y)#mac access-group <mitigationAclName> in
There are no known mitigations for Wi-Fi access points.
There are no known mitigations for NetVisor OS Software.
The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each software release that contains all the fixes listed below.
The following global commands MUST be enabled on all fixed releases to resolve the vulnerabilities.
To fix the VLAN 0 header stack variant vulnerability
**switchport vlan tag validation**
To fix the LLC header variant vulnerability
**switchport ethernet llc validation**
Only platforms which are affected by a variant will be able to run the corresponding configuration command to resolve the issue. Cross reference your platform with the affected variant (Affected Platforms section above) to determine the configuration command(s) which should be set. A configuration command which does not apply to the platform will be unavailable on that platform.
Note: all releases in the 10.0 train are affected by the CVEs. Please upgrade to the fixed release versions in 11.0.1 or 12.0.1 train as soon as possible. If you require further assistance, please contact the Arista Networks Technical Assistance Center (TAC) with methods listed below.
There are no post upgrade steps required for Wi-Fi.
CVE-2021-27853 and CVE-2021-27861
For details on upgrading NetVisor OS releases, refer to “Upgrading the NetVisor OS Software” section in the respective Release Notes documentation.
The following global commands MUST be enabled to resolve the vulnerabilities.
Note: Prior to enabling the below CLI command options, ensure that there are no error messages while creating new vFlows such as the below, the messages are also available in the nvOSd.log file.
vflow-create: Flow Table System-L1-L4-Tun-1-0 is Full
To fix the VLAN 0 header stack variant vulnerability
**CLI> system-settings-modify vlan-tag-validate**
This option is disabled by default. And when you enable this option using the above command, NetVisor OS automatically creates 5 vFlows upon switch reboot with appropriate precedence values and drops the double-tagged and triple-tagged packets.
To fix the LLC header variant vulnerability
**CLI> system-settings-modify l2-frame-validate**
This option is disabled by default. And when you enable this option, NetVisor OS automatically creates 5 vFlows upon switch reboot with appropriate precedence values and drops the invalid LLC/SNAP packets and bypasses the legitimate LLC/SNAP packets.
Note: On platforms where the virtual Link Extension (vLE) and virtual port groups (vPG) are configured, it is recommended not to enable thel2-frame-validate option as it may not bypass the L2 protocol packets.
To verify if the validation settings have been successfully configure
CLI> system-settings-show format l2-frame-validate, vlan-tag-validate
l2-frame-validate: on
vlan-tag-validate: on
Note: Reboot the switch after making (enable/disable) the above configurations for the changes to take effect.
To allow Q-in-Q packet match on L3 IP header, enable allow-tpid
**CLI> port-config-modify port <logical port number> allowed-tpid vlan,q-in-q,q-in-q-old,**
When the above parameter is enabled, the system-settings-modify vlan-tag-validate command and thesystem-settings-modify l2-frame-validate command adds 5 vFlows each upon switch reboot.
There is no hotfix available for any of the affected platforms.
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502 ; 866-476-0000
Contact information needed to open a new service request may be found at: https://www.arista.com/en/support/customer-support
4.7 Medium
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
3.3 Low
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:A/AC:L/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
40.3%