CVE-2021-28506 – CVE-2021-28506 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2021-28506?

CVE-2021-28506 has a CVSS score of 9.1 (CRITICAL). CVE-2021-28506 is an authentication bypass vulnerability in Arista EOS gNOI APIs that allows unauthorized factory resets of network devices. This affects Arista EOS users with gNOI APIs enabled. Attackers could completely wipe device configurations without valid credentials.

📋 TL;DR

CVE-2021-28506 is an authentication bypass vulnerability in Arista EOS gNOI APIs that allows unauthorized factory resets of network devices. This affects Arista EOS users with gNOI APIs enabled. Attackers could completely wipe device configurations without valid credentials.

💻 Affected Systems

Products:

Arista EOS

Versions: All versions prior to 4.24.6M, 4.25.4M, 4.26.2M, and 4.27.0F

Operating Systems: Arista EOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires gNOI APIs to be enabled. Factory reset capability is part of the gNOI System service.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network disruption as devices are factory reset, losing all configurations, routing tables, and security policies, requiring manual restoration from backups.

🟠

Likely Case

Targeted attacks against specific devices to cause service disruption or gain initial access to reconfigured devices with default credentials.

🟢

If Mitigated

Minimal impact if gNOI APIs are disabled or proper network segmentation isolates management interfaces.

🌐 Internet-Facing: HIGH if management interfaces are exposed to internet, as unauthenticated attackers could reset devices remotely.

🏢 Internal Only: MEDIUM for internal networks, requiring attacker to reach management interfaces but still bypassing authentication.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple API call to gNOI System service's Reset method without authentication. No special tools required beyond network access to gNOI port.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.24.6M, 4.25.4M, 4.26.2M, 4.27.0F and later

Vendor Advisory: https://www.arista.com/en/support/advisories-notices/security-advisories/13449-security-advisory-0071

Restart Required: Yes

Instructions:

1. Download appropriate fixed EOS version from Arista support portal. 2. Backup current configuration. 3. Install new EOS version using 'copy' and 'boot system' commands. 4. Reload device. 5. Verify version with 'show version'.

🔧 Temporary Workarounds

Disable gNOI APIs

all

Completely disable gNOI service to prevent exploitation

management api gnmi
no shutdown

Restrict gNOI access

all

Apply ACLs to limit access to gNOI management interfaces

management api gnmi
shutdown
vrf management
ip access-group MGMT-ACL in

🧯 If You Can't Patch

Isolate management interfaces using VLANs and firewall rules
Implement strict network segmentation for management traffic

🔍 How to Verify

Check if Vulnerable:

Check EOS version with 'show version' and compare to affected versions. Verify gNOI status with 'show management api gnmi'.

Check Version:

show version | include Software image version

Verify Fix Applied:

Confirm version is 4.24.6M, 4.25.4M, 4.26.2M, 4.27.0F or later using 'show version'.

📡 Detection & Monitoring

Log Indicators:

Unexpected factory reset events in system logs
gNOI API calls from unauthorized sources
Configuration reloads without administrative action

Network Indicators:

gRPC/gNOI traffic to port 6030 from unexpected sources
Factory reset API calls in cleartext gNOI traffic

SIEM Query:

source="arista" AND (event_type="factory_reset" OR message="*Reset*" OR message="*gNOI*System*Reset*")

📊 Metadata

CVE ID: CVE-2021-28506

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-285

Published: January 14, 2022

Last Updated: November 21, 2024

🔗 References

https://www.arista.com/en/support/advisories-notices/security-advisories/13449-security-advisory-0071 Exploit,Mitigation,Patch,Vendor Advisory
https://www.arista.com/en/support/advisories-notices/security-advisories/13449-security-advisory-0071 Exploit,Mitigation,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28506, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Eos by Arista

Eos by Arista

Eos by Arista

Eos by Arista

Eos by Arista

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable gNOI APIs

Restrict gNOI access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities