Arista Networks EOS Tunnel Decapsulation Improper Validation (SA0137)

#TRUSTED 8e4e97fd446a487c5f43c0a1bf6a75fcdb813837be29e1326481d6aa01b7508239b3ff3f9425693bbcda18b287afae142ea020c94c0b78400d5b9be96e88f0b3dd02570285a0bf757f4d1d0de6c074fe2c280912715636bb348eb79b8f235f9583f61e171e6b025dd46049f11d9179578a8061a72e074b5779eddd95587b62a3a3b0628ad1cc3f1b1e763436c0bec07c6da602cb480ebff51b1fdc5196e3576056f05781df4afbe4a5844057c60e2c29f07861e599e4fd92c5b4bf6645c074c0bce699aa8b3ee09ab7bf0b178f4ee603b13674a844e1a180de16cbd6d0320875d5c4d3c6f0fcabd4eff8489ecb48d55146cfa8105aea5684b2e6e92eb885804ceb09e1fb7efbb89281719e92a410309605984b44cee6b4ca990aee304377825dd1e5fe3ee6a5809b7d25150ee76f2a7cabf47901eddeadc6dcee677e6c4c6c6557532d4a66949bbc1a824196efa1d1cdcff736915795d5c3d56b8b108cf8fa2bbaa87a031338a6dfddb49b495866bf613f3e9c6745ed2a2fbe6ff9eab6a368f28739beb91014da996035eb638a4e8b2c1da51590556bb61cd609e4aea063db4c19960373ca938f85f2086815e00aeba48b19310d0ff86b131ee7321fd420fbeda376bdfaf381d75fb5c97fff530e2515882b3e7d99ab7227ae02be31e6d2fa5b079a9e3a9fbdb92e542afb996a8f633e321a2033518d12df68de564b6e698782
#TRUST-RSA-SHA256 35ab11d24f904adb44c5856e73afe788b2e7f115691e57eacc94be2edb7cecbcf0c711c1b0390d557bb52b6acd61882a594b7444cea6e9230b9e6464aac99b54c4ca976ed4966d8f513ac98f25c39fc2c6a12ee9bb37dbd578074cddc24072437c95629baa8d30b922d4468bd1a4751b9d6387b157dce4412d5a99434d0532beac53fb35e6bb0286623994cecbd96002cac1b00ce4936bf935b001b4d3a83d865684f6c8fc60d00a52867a85881a69a61df99d623b0653b859fefbf3c560ad7dc0f6777a73fe634020d88b4f6c0de61fef0a41cda31ec965efc253ec35a9d927176a5edb6d4575670ddac4ef447cfeb375d6cb7d7cfe81e00ccd12eb415d082d1c5362eeea5bd07d6d38f0a2c6293b4b7e557b7b74f9744b27bb7120bb88b3ebe50efa1994ddecda9f1d36fdc91dde47f5dc7eb77fcc60dc94efcc0536bdd579349abf55d3b9f8c4e088f7c2c81c37d5f03586dab14edd6af6205a88cae19f585d9df73a7409d713654edce969cf7d9eef32dc0be6163950044acb3bb0e6337017f6223f713a6d5ad2c3eba8b00b338a7b9028c42f4045cd24bb847df0a9931c5afeed48a840998cabd5d83c84b6c373cb356cd496a6f4d203f853cc287e0a8a4519b393ebc9a091b09dbb5b06ddf6549c42e9c524ae8bf81d54f60eb183ae79e35b7f2bee05a06574c840871f77a414657e6311e612f98ecfb6fa0fd05a8f01
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(321106);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/16");

  script_cve_id("CVE-2026-7473");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2026/06/09");

  script_name(english:"Arista Networks EOS Tunnel Decapsulation Improper Validation (SA0137)");

  script_set_attribute(attribute:"synopsis", value:
"The Arista Networks EOS device is affected by an incomplete comparison with missing factors vulnerability in its
tunnel decapsulation handling.");
  script_set_attribute(attribute:"description", value:
"On affected platforms running Arista EOS where a tunnel decapsulation configuration - such as VXLAN (Virtual
Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface - is present, the switch
will incorrectly decapsulate and forward other unexpected tunneled packets with a destination IP matching its
configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially
leading to the unexpected processing of non-configured tunnel traffic.

Note that Arista has stated that no software upgrade path or hotfix is planned to address this issue due to the risk
of breaking existing configurations. The only remediation is the configuration-based mitigation (ACLs) referenced in
the vendor advisory.

Please see the referenced Arista Security Advisory for more information.");
  # https://www.arista.com/en/support/advisories-notices/security-advisory/24005-security-advisory-0137
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?00ef8e0a");
  script_set_attribute(attribute:"solution", value:
"There is no fixed version. Apply the access control list (ACL) mitigations referenced in the vendor advisory to
restrict the tunnel protocols accepted at the configured decapsulation IP.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:A");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-7473");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/05/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/15");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:arista:eos");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("arista_eos_detect.nbin");
  script_require_keys("Host/Arista-EOS/Version", "Host/Arista-EOS/model");

  exit(0);
}

include('arista_eos_func.inc');
include('audit.inc');

var version = get_kb_item_or_exit('Host/Arista-EOS/Version');
var model = toupper(get_kb_item_or_exit('Host/Arista-EOS/model'));

# Per the advisory, only the physical R-series platforms that implement tunnel decapsulation in hardware are affected
# (7020R, 7280R/R2/R3, 7500R/R2/R3, 7800R3). The R4 generation is NOT affected on any series (7020R4, 7280R4,
# 7500R4, 7800R4 are all on the vendor's not-affected list), so the R-tier must not be followed by a digit other
# than 2 or 3. Real SKUs interpose a port-type letter between the series number and the R-tier (e.g.
# DCS-7280SR3-48YC8, DCS-7500R2-36CQ-LC), so allow optional [A-Z] before R.
if (model !~ "7020[A-Z]*R([^0-9]|$)" &&
    model !~ "7280[A-Z]*R([23]|[^0-9]|$)" &&
    model !~ "7500[A-Z]*R([23]|[^0-9]|$)" &&
    model !~ "7800[A-Z]*R3([^0-9]|$)")
  audit(AUDIT_HOST_NOT, 'an affected model');

# The exposure is gated entirely on a tunnel decapsulation configuration being present. These operational "show"
# commands run unprivileged (eos_cmd does not enter enable mode, so running-config is unavailable). Confirm at least
# one of: a VXLAN VTEP with an active source interface, a GRE tunnel interface, or an ip decap-group. Each command's
# output is read from the KB first and only fetched live via eos_cmd when absent
var decap_configured = FALSE;
var decap_evidence = '';

# VXLAN VTEP - the authoritative marker is the active source interface line.
var vxlan = get_kb_item("Host/Arista-EOS/show interfaces vxlan 1");
if (empty_or_null(vxlan))
{
  vxlan = eos_cmd(cmd:"show interfaces vxlan 1");
  vxlan = vxlan["value"];
}
if (!empty_or_null(vxlan) && vxlan =~ "Source interface is \S+ and is active with")
{
  decap_configured = TRUE;
  decap_evidence += '\n  Tunnel decapsulation configuration found : VXLAN VTEP (show interfaces vxlan 1)';
}

# GRE tunnel interface.
var tunnel = get_kb_item("Host/Arista-EOS/show interfaces Tunnel0");
if (empty_or_null(tunnel))
{
  tunnel = eos_cmd(cmd:"show interfaces Tunnel0");
  tunnel = tunnel["value"];
}
if (!empty_or_null(tunnel) && tunnel =~ "Tunnel protocol/transport[ \t]+GRE")
{
  decap_configured = TRUE;
  decap_evidence += '\n  Tunnel decapsulation configuration found : GRE tunnel interface (show interfaces Tunnel0)';
}

# ip decap-group - on affected R-series hardware this lists configured groups (each with a destination IP); on
# unaffected/virtual platforms it returns "% Unavailable command (not supported on this hardware platform)", which is
# handled as feature-absent. Key on the presence of a destination IP so an empty/header-only result does not match.
var decap = get_kb_item("Host/Arista-EOS/show ip decap-group");
if (empty_or_null(decap))
{
  decap = eos_cmd(cmd:"show ip decap-group");
  decap = decap["value"];
}
if (!empty_or_null(decap) &&
    "Unavailable command" >!< decap &&
    "not supported" >!< decap &&
    "% Invalid" >!< decap &&
    decap =~ "([0-9]{1,3}\.){3}[0-9]{1,3}")
{
  decap_configured = TRUE;
  decap_evidence += '\n  Tunnel decapsulation configuration found : ip decap-group (show ip decap-group)';
}

if (!decap_configured)
  audit(AUDIT_HOST_NOT, 'configured with a tunnel decapsulation IP (VXLAN, GRE, or decap-group)');

var report =
  '\n  The remote Arista EOS device is an affected hardware platform configured as a tunnel endpoint with a' +
  '\n  decapsulation IP. There is no vendor fix or hotfix planned for this issue; apply the ACL mitigation from the' +
  '\n  vendor advisory.' +
  '\n' +
  '\n  Installed Version : ' + version +
  '\n  Model             : ' + model +
  decap_evidence +
  '\n';

security_report_v4(severity:SECURITY_WARNING, port:0, extra:report);