CVE-2021-28509

Published: May 26, 2022Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

Exploitability: 0.9 / Impact: 5.2

Source: NVD

Description

This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols. The impact of this vulnerability is that, in certain conditions, TerminAttr might leak MACsec sensitive data in clear text in CVP to other authorized users, which could cause MACsec traffic to be decrypted or modified by other authorized users on the device.

Affected (8)

Products: Arista: Eos, Terminattr

Arista

2 products

Eos

Terminattr

Configuration A

2 platform

Running on/with	Platform Versions
Arista Ccs 722xpm 48y4	All versions
Arista Ccs 722xpm 48zy8	All versions

Configuration B

15 platform

Running on/with	Platform Versions
Arista 7050cx3 32s	All versions
Arista 7050cx3m 32s	All versions
Arista 7050sx3 48c8	All versions
Arista 7050sx3 48yc	All versions
Arista 7050sx3 48yc12	All versions
Arista 7050sx3 48yc8	All versions
Arista 7050sx3 96yc8	All versions
Arista 7050tx3 48c8	All versions
Arista Dcs 7050cx3 32s	All versions
Arista Dcs 7050cx3 32s R	All versions
Arista Dcs 7050cx3m 32s	All versions
Arista Dcs 7050sx3 48c8	All versions
Arista Dcs 7050sx3 48yc12	All versions
Arista Dcs 7050sx3 48yc8	All versions
Arista Dcs 7050sx3 96yc8	All versions

Configuration C

16 platform

Running on/with	Platform Versions
Arista 7280cr2ak 30	All versions
Arista 7280cr2k 60	All versions
Arista 7280cr3 32d4	All versions
Arista 7280cr3 32p4	All versions
Arista 7280cr3 96	All versions
Arista 7280cr3k 32d4	All versions
Arista 7280cr3k 32p4	All versions
Arista 7280cr3k 96	All versions
Arista 7280dr3 24	All versions
Arista 7280dr3k 24	All versions
Arista 7280pr3 24	All versions
Arista 7280pr3k 24	All versions
Arista 7280r2	All versions
Arista 7280r3	All versions
Arista 7280sr3 48yc8	All versions
Arista 7280sr3k 48yc8	All versions

Configuration D

6 platform

Running on/with	Platform Versions
Arista 7500r2	All versions
Arista 7500r3	All versions
Arista 7500r3 24d	All versions
Arista 7500r3 24p	All versions
Arista 7500r3 36cq	All versions
Arista 7500r3k 36cq	All versions

Configuration E

3 platform

Running on/with	Platform Versions
Arista 7800r3 36p	All versions
Arista 7800r3 48cq	All versions
Arista 7800r3k 48cq	All versions

Configuration F

8 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Arista Eos	From 4.23 to 4.23.11
Arista Eos	From 4.24 to 4.24.10
Arista Eos	From 4.25 to 4.25.8
Arista Eos	From 4.26 to 4.26.6
Arista Eos	From 4.27 to 4.27.4
Arista Terminattr	Before 1.10.11
Arista Terminattr	From 1.11.0 to 1.16.8
Arista Terminattr	From 1.17.0 to 1.19.2

Running on/with	Platform Versions
Arista 7388x5	All versions

Related CWEs

CWE-255

CWE-319

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

References (2)

https://www.arista.com/en/support/advisories-notices/security-advisories/15484-security-advisory-0077

Source: psirt@arista.com

ExploitVendor Advisory

https://www.arista.com/en/support/advisories-notices/security-advisories/15484-security-advisory-0077

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

Timeline

No history available yet.