CVE-2021-28504 : Exploit Details and Defense Strategies

Arista Networks' EOS software in certain versions is affected by a vulnerability that leads to incorrect matching on IP protocol fields in access-list rules when using the 'TCAM profile' feature with 'vxlan' as protocol.

Understanding CVE-2021-28504

This CVE describes a vulnerability on Arista Strata family products that may impact the IP protocol field matching in access-list rules.

What is CVE-2021-28504?

Arista Strata family products with the 'TCAM profile' feature enabled may fail to match on IP protocol fields as expected when a Port IPv4 access-list rule includes 'vxlan' as a protocol.

The Impact of CVE-2021-28504

This vulnerability can lead to rules not matching on the IP protocol field as intended, potentially affecting network security and traffic filtering capabilities.

Technical Details of CVE-2021-28504

The vulnerability is scored with a CVSS base score of 7.5, indicating a high severity level.

Vulnerability Description

The issue arises from incorrect matching behavior on IP protocol fields when 'vxlan' is used in access-list rules with the 'TCAM profile' feature enabled.

Affected Systems and Versions

Arista EOS versions 4.26.3F and 4.27.0F are confirmed to be affected by this vulnerability.

Exploitation Mechanism

Attackers could potentially exploit this vulnerability to bypass intended network access control rules by leveraging the incorrect matching behavior.

Mitigation and Prevention

To address CVE-2021-28504, Arista Networks recommends the following:

Immediate Steps to Take

Replace the 'vxlan' IP protocol match with a match on IP protocol 'udp' and Layer 4 destination port for VxLAN-encapsulated packets.

Long-Term Security Practices

Upgrade to a remediated software version as soon as feasible, moving to the latest versions containing the necessary fixes.

Patching and Updates

The vulnerability has been resolved in EOS releases 4.26.4F and later in the 4.26.x train, as well as releases 4.27.1M and later in the 4.27.x train.