CVE-2021-28494
📋 TL;DR
This vulnerability allows unprivileged users to bypass authentication in Arista's Metamako Operating System Web UI under certain conditions. It affects Arista 7130 product line devices running MOS-0.34.0 and earlier versions. Attackers could gain unauthorized access to network devices without valid credentials.
💻 Affected Systems
- Arista 7130 product line
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of network devices allowing configuration changes, traffic interception, network disruption, and lateral movement to other systems.
Likely Case
Unauthorized access to network device management interfaces leading to configuration changes, monitoring of network traffic, and potential denial of service.
If Mitigated
Limited impact if devices are behind firewalls with strict access controls, but authentication bypass still presents significant risk.
🎯 Exploit Status
Authentication bypass vulnerabilities typically have low exploitation complexity once the specific conditions are understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: MOS-0.35.0 and later
Vendor Advisory: https://www.arista.com/en/support/advisories-notices/security-advisories/12916-security-advisory-68
Restart Required: Yes
Instructions:
1. Download MOS-0.35.0 or later from Arista support portal. 2. Backup current configuration. 3. Install the updated MOS version following Arista's upgrade procedures. 4. Reboot the device to apply changes. 5. Verify the new version is running.
🔧 Temporary Workarounds
Disable Web UI Access
allTemporarily disable Web UI access and use CLI/API management only
no management api http-commands
no management api https-commands
Restrict Network Access
allImplement strict network access controls to limit who can reach the Web UI
management access-list standard <ACL_NAME>
permit <TRUSTED_NETWORKS>
management api http-commands access-class <ACL_NAME>
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit access to affected devices
- Disable Web UI entirely and use CLI/API management with proper authentication controls
🔍 How to Verify
Check if Vulnerable:
Check MOS version with 'show version' command. If version is MOS-0.34.0 or earlier, device is vulnerable.Check Version:
show version | include MOSVerify Fix Applied:
After patching, verify version is MOS-0.35.0 or later using 'show version' command and test authentication bypass is no longer possible.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful access
- Unauthorized access to Web UI from unexpected sources
- Configuration changes from unauthenticated users
Network Indicators:
- HTTP/HTTPS traffic to Web UI without proper authentication sequences
- Unusual patterns of access to management interfaces
SIEM Query:
source="arista-device" AND (event_type="auth_failure" AND event_type="auth_success" within 5s) OR (http_user_agent="*" AND NOT auth_success)