CVE-2021-28511 Explained : Impact and Mitigation
Learn about CVE-2021-28511, a security ACL bypass vulnerability in Arista EOS versions 4.24.0 to 4.27.3. Find out the impact, affected versions, and mitigation steps.
This advisory discusses a vulnerability found internally in Arista EOS related to security ACL bypass, potentially allowing an ACL bypass.
Understanding CVE-2021-28511
This CVE covers a security ACL bypass vulnerability in Arista Networks' EOS.
What is CVE-2021-28511?
Arista EOS is affected by a security ACL bypass vulnerability allowing a host to be forwarded incorrectly if certain conditions match NAT and Security ACL ranges.
The Impact of CVE-2021-28511
The vulnerability could enable bypassing security ACL drop rules, leading to incorrect forwarding of packets that should have been denied.
Technical Details of CVE-2021-28511
The vulnerability identified allows for an ACL bypass affecting specific versions of Arista EOS.
Vulnerability Description
Arista EOS versions 4.24.0 to 4.27.3 are susceptible to an ACL bypass when certain NAT ACL rule conditions are met.
Affected Systems and Versions
EOS versions 4.24.0, 4.25.0, 4.26.0, and 4.27.0 are vulnerable to the security ACL bypass.
Exploitation Mechanism
The vulnerability arises when a NAT ACL rule with a permit action matches the packet flow, permitting the ACL bypass.
Mitigation and Prevention
To address CVE-2021-28511, upgrading to patched versions of Arista EOS is recommended.
Immediate Steps to Take
Upgrade to the fixed versions: 4.24.10, 4.25.9, 4.26.6, 4.27.4, or later releases in their respective trains.
Long-Term Security Practices
Regularly update Arista EOS to the latest supported versions to mitigate future vulnerabilities.
Patching and Updates
Keep Arista EOS software up to date with recommended patches to enhance system security.