CVE-2024-8000
📋 TL;DR
This vulnerability affects Arista EOS devices with 802.1X authentication configured. During Accelerated Software Upgrade (ASU) restarts, only the first line of dynamic ACLs from AAA servers is installed, potentially allowing unauthorized network access. Supplicants with pending captive-portal authentication during ASU are impacted.
💻 Affected Systems
- Arista EOS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass network access controls and gain unauthorized access to restricted network segments, potentially leading to lateral movement and data exfiltration.
Likely Case
Users with pending captive-portal authentication may receive incorrect network access permissions, potentially accessing resources they shouldn't have access to.
If Mitigated
With proper network segmentation and monitoring, the impact is limited to temporary access control misconfigurations affecting only specific supplicants during ASU events.
🎯 Exploit Status
Exploitation requires specific timing during ASU restarts and affects only supplicants with pending captive-portal authentication
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version that fixes this
Vendor Advisory: https://www.arista.com/en/support/advisories-notices/security-advisory/21086-security-advisory-0109
Restart Required: Yes
Instructions:
Step-by-step patching instructions
🔧 Temporary Workarounds
Disable ASU during maintenance windows
allAvoid using Accelerated Software Upgrade when 802.1X authentication is critical
Monitor for pending captive-portal authentications
allTrack and manage supplicants with pending authentication before ASU events
🧯 If You Can't Patch
- Implement additional network segmentation for devices using 802.1X
- Increase monitoring of network access during and after ASU events
🔍 How to Verify
Check if Vulnerable:
Check if running affected Arista EOS versions with 802.1X configured and ASU capabilityCheck Version:
show versionVerify Fix Applied:
Verify patch installation and test dynamic ACL installation after ASU restart📡 Detection & Monitoring
Log Indicators:
- ASU restart events with 802.1X authentication
- Dynamic ACL installation failures
- Captive-portal authentication anomalies
Network Indicators:
- Unexpected network access patterns after ASU events
- ACL rule mismatches
SIEM Query:
Example SIEM/detection query if applicable