CVE-2021-28499 : Exploit Details and Defense Strategies

Arista's Metamako Operating System (MOS) software on the 7130 product line has a vulnerability where user account passwords set in clear text could be leaked to users without any password. This affects several versions of the MOS software.

Understanding CVE-2021-28499

This CVE-2021-28499 impacts Arista's MOS software running on the 7130 Systems.

What is CVE-2021-28499?

The vulnerability in Arista's MOS software allows user account passwords set in clear text to be exposed to users without any password.

The Impact of CVE-2021-28499

The impact of this vulnerability is rated as MEDIUM with a base score of 6.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L). It affects user confidentiality and integrity with low privileges required and no user interaction.

Technical Details of CVE-2021-28499

This section provides technical insights into the CVE.

Vulnerability Description

The vulnerability allows user account passwords set in clear text to leak to unauthorized users, compromising security.

Affected Systems and Versions

Arista Metamako Operating System versions MOS-0.18 and higher in the MOS-0.1x train, all releases in the MOS-0.2x train, and MOS-0.31.1 and prior releases in the MOS-0.3x train are impacted.

Exploitation Mechanism

The attack complexity is rated as LOW, with the attack vector being LOCAL and low impacts on availability, confidentiality, and integrity.

Mitigation and Prevention

This section outlines steps to mitigate the vulnerability and prevent exploitation.

Immediate Steps to Take

Users are advised to upgrade to MOS-0.32.0 or install the provided hotfix to address the issue.

Long-Term Security Practices

Implement strong password management practices and ensure sensitive information is not stored in plain text.

Patching and Updates

Regularly update the Arista Metamako Operating System and follow security advisories for future vulnerabilities.