CVE-2021-28500 – This vulnerability in Arista EOS allows local u... (How to Fix)

Q: What is the severity of CVE-2021-28500?

CVE-2021-28500 has a CVSS score of 9.1 (CRITICAL). This vulnerability in Arista EOS allows local users with 'nopassword' configuration to gain unrestricted access to network devices due to incorrect AAA API usage by OpenConfig and TerminAttr agents. It affects Arista switches and routers running vulnerable EOS versions. Attackers could bypass authentication controls and gain administrative privileges.

📋 TL;DR

This vulnerability in Arista EOS allows local users with 'nopassword' configuration to gain unrestricted access to network devices due to incorrect AAA API usage by OpenConfig and TerminAttr agents. It affects Arista switches and routers running vulnerable EOS versions. Attackers could bypass authentication controls and gain administrative privileges.

💻 Affected Systems

Products:

Arista EOS (Extensible Operating System)

Versions: All EOS versions prior to 4.24.6M, 4.25.4M, 4.26.2M, and 4.27.0F

Operating Systems: Arista EOS

Default Config Vulnerable: ✅ No

Notes: Only affects systems with 'nopassword' configuration for local users. Requires OpenConfig or TerminAttr agents to be running.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full administrative compromise of network devices, allowing attackers to reconfigure networks, intercept traffic, disable security controls, and pivot to other systems.

🟠

Likely Case

Local privilege escalation where authenticated users with limited access gain full administrative control over network devices.

🟢

If Mitigated

Limited impact if proper access controls and monitoring are in place, with only authorized users having device access.

🌐 Internet-Facing: LOW (Requires local access to device, not directly exploitable over internet)

🏢 Internal Only: HIGH (Local attackers or compromised accounts can gain full device control)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to the device and knowledge of the vulnerability. No public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: EOS 4.24.6M, 4.25.4M, 4.26.2M, 4.27.0F and later

Vendor Advisory: https://www.arista.com/en/support/advisories-notices/security-advisories/13449-security-advisory-0071

Restart Required: Yes

Instructions:

1. Download appropriate EOS version from Arista support portal. 2. Backup device configuration. 3. Install updated EOS version using 'copy' and 'boot system' commands. 4. Reload device to apply update.

🔧 Temporary Workarounds

Remove nopassword configuration

all

Remove 'nopassword' configuration from local user accounts to prevent exploitation

configure terminal
username <username> secret <password>
no username <username> nopassword

Disable vulnerable agents

all

Disable OpenConfig and TerminAttr agents if not required

configure terminal
no management api openconfig
no daemon TerminAttr

🧯 If You Can't Patch

Remove all 'nopassword' configurations from local user accounts
Implement strict access controls and monitor for unauthorized configuration changes

🔍 How to Verify

Check if Vulnerable:

Check EOS version with 'show version' and verify if local users have nopassword configuration with 'show running-config | include nopassword'

Check Version:

show version | grep Software

Verify Fix Applied:

Verify EOS version is patched with 'show version' and confirm no nopassword configurations exist

📡 Detection & Monitoring

Log Indicators:

Unexpected privilege escalation events
Configuration changes by unauthorized users
Authentication bypass attempts

Network Indicators:

Unexpected configuration changes via management interfaces
Unauthorized access to device management

SIEM Query:

source="arista-eos" AND (event_type="authentication" AND result="failure") OR (event_type="configuration" AND user!="authorized_user")

📊 Metadata

CVE ID: CVE-2021-28500

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-285

Published: January 14, 2022

Last Updated: November 21, 2024

🔗 References

https://www.arista.com/en/support/advisories-notices/security-advisories/13449-security-advisory-0071 Exploit,Mitigation,Patch,Vendor Advisory
https://www.arista.com/en/support/advisories-notices/security-advisories/13449-security-advisory-0071 Exploit,Mitigation,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28500, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Eos by Arista

Eos by Arista

Eos by Arista

Eos by Arista

Eos by Arista

Eos by Arista

Eos by Arista

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Remove nopassword configuration

Disable vulnerable agents

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities