CVE-2024-27891

Vulnerability

On affected Arista EOS platforms, specifically the 722XPM Series, when both MACsec and egress Access Control Lists (ACLs) are configured on the same interfaces, the ACL policies may not be enforced for egressing packets. This affects EOS versions 4.32.0.1F and below in the 4.32.X train, 4.31.2F and below in the 4.31.X train, 4.30.6M and below in the 4.30.X train, 4.29.7M and below in the 4.29.X train, and 4.28.10.1M and below in the 4.28.X train. [1]

Exploitation

An attacker does not need specific privileges or user interaction to exploit this vulnerability. The vulnerability is triggered by the configuration of MACsec and egress ACLs on the same interfaces. The incorrect enforcement of ACL policies for outgoing traffic can lead to unintended packet forwarding behavior, such as packets being allowed when they should be denied or denied when they should be allowed. [1]

Impact

Successful exploitation of this vulnerability can lead to a loss of integrity for network traffic. Specifically, ACL policies that are intended to control or restrict network access may not be enforced as expected, resulting in incorrect packet handling. This could allow unauthorized traffic to pass or legitimate traffic to be blocked, impacting the intended network security posture. [1]

Mitigation

Arista has released updated versions of EOS to address this vulnerability. Specific fixed versions are not detailed in the provided references, but users are advised to upgrade to a non-affected version. Arista is not aware of any malicious uses of this issue in customer networks. [1]