CVE-2021-28511

Exploit

EPSS 0.23%
Published 05.08.2022 17:15:07
Last modified 21.11.2024 05:59:48
Source psirt@arista.com
Teams watchlist Login
Open Login

This advisory documents the impact of an internally found vulnerability in Arista EOS for security ACL bypass. The impact of this vulnerability is that the security ACL drop rule might be bypassed if a NAT ACL rule filter with permit action matches the packet flow. This could allow a host with an IP address in a range that matches the range allowed by a NAT ACL and a range denied by a Security ACL to be forwarded incorrectly as it should have been denied by the Security ACL. This can enable an ACL bypass.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Arista ≫ Eos Version <= 4.24.9

   Arista ≫ 7050cx3-32s Version-
   Arista ≫ 7050cx3m-32s Version-
   Arista ≫ 7050sx3-48c8 Version-
   Arista ≫ 7050sx3-48yc Version-
   Arista ≫ 7050sx3-48yc12 Version-
   Arista ≫ 7050sx3-48yc8 Version-
   Arista ≫ 7050sx3-96yc8 Version-
   Arista ≫ 7050tx3-48c8 Version-
   Arista ≫ 720xp-24y6 Version-
   Arista ≫ 720xp-24zy4 Version-
   Arista ≫ 720xp-48y6 Version-
   Arista ≫ 720xp-48zc2 Version-
   Arista ≫ 720xp-96zc2 Version-
   Arista ≫ 7300x3-32c Version-
   Arista ≫ 7300x3-48yc4 Version-

Arista ≫ Eos Version >= 4.25.0 <= 4.25.8

Arista ≫ Eos Version >= 4.26.0 <= 4.26.5

Arista ≫ Eos Version >= 4.27.0 <= 4.27.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.23%	0.459

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
psirt@arista.com	5.8	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://www.arista.com/en/support/advisories-notices/security-advisory/15862-security-advisory-0078

Vendor Advisory

Exploit

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2021-28511

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-28511

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-28511

EUVD