CVE-2024-9448
📋 TL;DR
Arista EOS devices with Traffic Policies configured fail to apply drop rules to untagged packets, allowing them to be forwarded instead of blocked. This affects network security by potentially delivering packets to unintended destinations. Organizations using Arista EOS with Traffic Policies are vulnerable.
💻 Affected Systems
- Arista EOS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious untagged packets bypass security policies, reaching sensitive internal systems or causing network disruption.
Likely Case
Untagged traffic that should be dropped (e.g., malicious scans, policy violations) is forwarded, weakening network segmentation and security controls.
If Mitigated
With proper network segmentation and additional controls, impact is limited to potential policy bypass in specific traffic flows.
🎯 Exploit Status
Exploitation requires sending untagged packets to affected devices; no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Arista advisory for fixed versions
Vendor Advisory: https://www.arista.com/en/support/advisories-notices/security-advisory/21121-security-advisory-0112
Restart Required: Yes
Instructions:
1. Review Arista advisory for fixed EOS versions. 2. Upgrade affected devices to patched version. 3. Restart devices to apply changes.
🔧 Temporary Workarounds
Disable Traffic Policies
allRemove or disable Traffic Policies if not required, eliminating the vulnerability.
no traffic-policy <policy-name>
Tag All Incoming Packets
allConfigure network to tag all packets before they reach affected devices, bypassing the untagged packet issue.
interface <interface-name>
switchport trunk allowed vlan <vlan-id>
🧯 If You Can't Patch
- Implement network segmentation to isolate affected devices and limit potential impact.
- Use additional firewall rules or ACLs to block untagged traffic at network boundaries.
🔍 How to Verify
Check if Vulnerable:
Check if Traffic Policies are configured on Arista EOS devices and verify version against advisory.Check Version:
show version | include Software image versionVerify Fix Applied:
After patching, test with untagged packets to confirm Traffic Policy drop rules are applied correctly.📡 Detection & Monitoring
Log Indicators:
- Logs showing untagged packets being forwarded despite drop rules in Traffic Policies.
Network Indicators:
- Network traffic analysis revealing untagged packets bypassing expected filters.
SIEM Query:
Example: search for 'untagged packet forwarded' or 'traffic policy bypass' in network device logs.