CVE-2021-28503
📋 TL;DR
Arista EOS eAPI authentication bypass vulnerability allows remote attackers to access network devices without proper credential validation when certificate-based authentication is enabled. This affects Arista EOS devices with eAPI configured. Attackers could gain unauthorized administrative access to network infrastructure.
💻 Affected Systems
- Arista EOS (Extensible Operating System)
📦 What is this software?
Eos by Arista
Eos by Arista
Eos by Arista
Eos by Arista
Eos by Arista
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of network device allowing configuration changes, traffic interception, lateral movement to other systems, and network disruption.
Likely Case
Unauthorized access to device configuration and management functions, potential data exfiltration, and network reconnaissance.
If Mitigated
Limited impact if proper network segmentation, access controls, and monitoring are in place to detect unauthorized access attempts.
🎯 Exploit Status
Exploitation requires network access to eAPI endpoint and knowledge of certificate authentication bypass technique.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.24.6M, 4.25.4M, 4.26.2M, 4.27.0F and later
Vendor Advisory: https://www.arista.com/en/support/advisories-notices/security-advisories/13605-security-advisory-0072
Restart Required: Yes
Instructions:
1. Download appropriate fixed EOS version from Arista support portal. 2. Backup device configuration. 3. Install new EOS version using 'copy' and 'boot system' commands. 4. Reload device to apply update.
🔧 Temporary Workarounds
Disable eAPI
allTemporarily disable eAPI management interface if not required
no management api http-commands
no management api https-commands
Use SSH authentication only
allDisable certificate-based authentication and use SSH with strong credentials
aaa authentication login default local
aaa authorization exec default local
🧯 If You Can't Patch
- Implement strict network access controls to limit eAPI access to trusted management networks only
- Enable detailed logging and monitoring for eAPI authentication events and unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check EOS version with 'show version' and verify if running vulnerable version. Check eAPI status with 'show management api http-commands'.Check Version:
show version | include Software image versionVerify Fix Applied:
Verify EOS version is patched with 'show version'. Test eAPI authentication with certificate to ensure proper credential validation.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful eAPI access
- Unexpected eAPI connections from unauthorized sources
- Configuration changes from unexpected sources
Network Indicators:
- Unusual eAPI traffic patterns
- eAPI connections from non-management networks
- Multiple authentication attempts on eAPI port
SIEM Query:
source="arista-eos" (event_type="authentication" AND result="success" AND auth_method="certificate") OR (event_type="api_access" AND source_ip NOT IN allowed_management_ips)