cvelistv5 - cve-2024-8000

CVE-2024-8000 (GCVE-0-2024-8000)

Vulnerability from cvelistv5

Published

2025-03-04 20:20

Modified

2025-03-04 20:33

Severity ?

5.3 (Medium) - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-1284 - Improper Validation of Specified Quantity in Input

Summary

On affected platforms running Arista EOS with 802.1X configured, certain conditions may occur where a dynamic ACL is received from the AAA server resulting in only the first line of the ACL being installed after an Accelerated Software Upgrade (ASU) restart. Note: supplicants with pending captive-portal authentication during ASU would be impacted with this bug.

References

▼	URL	Tags
	psirt@arista.com	https://www.arista.com/en/support/advisories-notices/security-advisory/21086-security-advisory-0109

Impacted products

	Vendor	Product	Version
	Arista Networks	EOS	Version: 4.32.0 < Version: 4.31.0 < Version: 4.30.0 <

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-8000",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-04T20:33:23.880423Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-04T20:33:37.805Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "EOS",
          "vendor": "Arista Networks",
          "versions": [
            {
              "lessThanOrEqual": "4.32.4M",
              "status": "affected",
              "version": "4.32.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.31.5M",
              "status": "affected",
              "version": "4.31.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.30.8M",
              "status": "affected",
              "version": "4.30.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIn order to be vulnerable to CVE-2024-8000, the following three conditions must be met:\u003c/p\u003e\u003col\u003e\u003cli\u003e802.1X must be configured.\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003c/li\u003e\u003cli\u003eThe customer must have an external AAA server configured which sends a multi-line dynamic ACL.\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003c/li\u003e\u003cli\u003eASU must have occurred ( more information about the upgrade process can be found here at \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\"\u003eUpgrades and Downgrades - Arista\u003c/a\u003e\u0026nbsp;). The version being upgraded from is an affected software version, and the version being upgraded to is an affected software version as listed above. \u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThe below example shows an example of this issue before and after ASU:\u003c/p\u003e\u003cpre\u003eswitch#show dot1x hosts mac 0001.0203.0405 detail | json\n{\n\u0026nbsp; \u0026nbsp; \"supplicantMac\": \"00:01:02:03:04:05\",\n\u0026nbsp; \u0026nbsp; \"identity\": \"user3\",\n\u0026nbsp; \u0026nbsp; \"interface\": \"Ethernet3/47\",\n\u0026nbsp; \u0026nbsp; \"authMethod\": \"EAPOL\",\n\u0026nbsp; \u0026nbsp; \"authStage\": \"SUCCESS\",\n\u0026nbsp; \u0026nbsp; \"fallback\": \"NONE\",\n\u0026nbsp; \u0026nbsp; \"callingStationId\": \"00-01-02-03-04-05\",\n\u0026nbsp; \u0026nbsp; \"reauthBehavior\": \"DO-NOT-RE-AUTH\",\n\u0026nbsp; \u0026nbsp; \"reauthInterval\": 0,\n\u0026nbsp; \u0026nbsp; \"cacheConfTime\": 0,\n\u0026nbsp; \u0026nbsp; \"vlanId\": \"202\",\n\u0026nbsp; \u0026nbsp; \"accountingSessionId\": \"\",\n\u0026nbsp; \u0026nbsp; \"captivePortal\": \"\",\n\u0026nbsp; \u0026nbsp; \"captivePortalSource\": \"\",\n\u0026nbsp; \u0026nbsp; \"aristaWebAuth\": \"\",\n\u0026nbsp; \u0026nbsp; \"supplicantClass\": \"\",\n\u0026nbsp; \u0026nbsp; \"filterId\": \"\",\n\u0026nbsp; \u0026nbsp; \"framedIpAddress\": \"0.0.0.0\",\n\u0026nbsp; \u0026nbsp; \"framedIpAddrSource\": \"sourceNone\",\n    \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003e\u003cb\u003e\"nasFilterRules\":  [\u003c/b\u003e\n\u003cb\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \"deny in ip from 10.1.0.0/16 to 20.1.0.0/16\",\u003c/b\u003e\n\u003cb\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \"permit in ip from 11.0.0.0/8 to 12.0.0.0/8\",\u003c/b\u003e\n\u003cb\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \"permit tcp any any eq 80\", \u003c/b\u003e\n\u003cb\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \"permit tcp any any eq 443\",\u003c/b\u003e\n\u003cb\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u201cdeny ip host 192.168.1.100\"\u003c/b\u003e\n    \u003cb\u003e],\u003c/b\u003e\u003c/span\u003e\n\u0026nbsp; \u0026nbsp; \"sessionTimeout\": 0,\n\u0026nbsp; \u0026nbsp; \"terminationAction\": \"\",\n\u0026nbsp; \u0026nbsp; \"tunnelPrivateGroupId\": \"\",\n\u0026nbsp; \u0026nbsp; \"aristaPeriodicIdentity\": \"\",\n\u0026nbsp; \u0026nbsp; \"cachedAuthAtLinkDown\": false,\n\u0026nbsp; \u0026nbsp; \"reauthTimeoutSeen\": false,\n\u0026nbsp; \u0026nbsp; \"sessionCached\": false,\n\u0026nbsp; \u0026nbsp; \"detail_\": true\n}\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eThe above example is before ASU. Note that the \u201cnasFilterRules\u201d has 5 rules in it.\u003c/p\u003e\u003cp\u003eWhen ASU is performed:\u003c/p\u003e\u003cpre\u003eswitch#show dot1x hosts mac 0001.0203.0405 detail | json\n{\n\u0026nbsp; \u0026nbsp; \"supplicantMac\": \"00:01:02:03:04:05\",\n\u0026nbsp; \u0026nbsp; \"identity\": \"user3\",\n\u0026nbsp; \u0026nbsp; \"interface\": \"Ethernet3/47\",\n\u0026nbsp; \u0026nbsp; \"authMethod\": \"EAPOL\",\n\u0026nbsp; \u0026nbsp; \"authStage\": \"SUCCESS\",\n\u0026nbsp; \u0026nbsp; \"fallback\": \"NONE\",\n\u0026nbsp; \u0026nbsp; \"callingStationId\": \"00-01-02-03-04-05\",\n\u0026nbsp; \u0026nbsp; \"reauthBehavior\": \"DO-NOT-RE-AUTH\",\n\u0026nbsp; \u0026nbsp; \"reauthInterval\": 0,\n\u0026nbsp; \u0026nbsp; \"cacheConfTime\": 0,\n\u0026nbsp; \u0026nbsp; \"vlanId\": \"202\",\n\u0026nbsp; \u0026nbsp; \"accountingSessionId\": \"\",\n\u0026nbsp; \u0026nbsp; \"captivePortal\": \"\",\n\u0026nbsp; \u0026nbsp; \"captivePortalSource\": \"\",\n\u0026nbsp; \u0026nbsp; \"aristaWebAuth\": \"\",\n\u0026nbsp; \u0026nbsp; \"supplicantClass\": \"\",\n\u0026nbsp; \u0026nbsp; \"filterId\": \"\",\n\u0026nbsp; \u0026nbsp; \"framedIpAddress\": \"0.0.0.0\",\n\u0026nbsp; \u0026nbsp; \"framedIpAddrSource\": \"sourceNone\",\n     \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003e\u003cb\u003e\"nasFilterRules\": [\u003c/b\u003e\n\u003cb\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \"deny in ip from 10.1.0.0/16 to 20.1.0.0/16\"\u003c/b\u003e\n    \u003cb\u003e],\u003c/b\u003e\u003c/span\u003e\n\u0026nbsp; \u0026nbsp; \"sessionTimeout\": 0,\n\u0026nbsp; \u0026nbsp; \"terminationAction\": \"\",\n\u0026nbsp; \u0026nbsp; \"tunnelPrivateGroupId\": \"\",\n\u0026nbsp; \u0026nbsp; \"aristaPeriodicIdentity\": \"\",\n\u0026nbsp; \u0026nbsp; \"cachedAuthAtLinkDown\": false,\n\u0026nbsp; \u0026nbsp; \"reauthTimeoutSeen\": false,\n\u0026nbsp; \u0026nbsp; \"sessionCached\": false,\n\u0026nbsp; \u0026nbsp; \"detail_\": true\n}\n\u003c/pre\u003e\u003cp\u003eThe above example is after ASU. Note the nasFilterRule is now only one line. \u003c/p\u003e\u003cp\u003eNote: This symptom is not present when a non-ASU upgrade (i.e. standard reboot) takes place.\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "In order to be vulnerable to CVE-2024-8000, the following three conditions must be met:\n\n  *  802.1X must be configured.\u00a0\n\n\n  *  The customer must have an external AAA server configured which sends a multi-line dynamic ACL.\u00a0\n\n\n  *  ASU must have occurred ( more information about the upgrade process can be found here at  Upgrades and Downgrades - Arista https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \u00a0). The version being upgraded from is an affected software version, and the version being upgraded to is an affected software version as listed above. \nThe below example shows an example of this issue before and after ASU:\n\nswitch#show dot1x hosts mac 0001.0203.0405 detail | json\n{\n\u00a0 \u00a0 \"supplicantMac\": \"00:01:02:03:04:05\",\n\u00a0 \u00a0 \"identity\": \"user3\",\n\u00a0 \u00a0 \"interface\": \"Ethernet3/47\",\n\u00a0 \u00a0 \"authMethod\": \"EAPOL\",\n\u00a0 \u00a0 \"authStage\": \"SUCCESS\",\n\u00a0 \u00a0 \"fallback\": \"NONE\",\n\u00a0 \u00a0 \"callingStationId\": \"00-01-02-03-04-05\",\n\u00a0 \u00a0 \"reauthBehavior\": \"DO-NOT-RE-AUTH\",\n\u00a0 \u00a0 \"reauthInterval\": 0,\n\u00a0 \u00a0 \"cacheConfTime\": 0,\n\u00a0 \u00a0 \"vlanId\": \"202\",\n\u00a0 \u00a0 \"accountingSessionId\": \"\",\n\u00a0 \u00a0 \"captivePortal\": \"\",\n\u00a0 \u00a0 \"captivePortalSource\": \"\",\n\u00a0 \u00a0 \"aristaWebAuth\": \"\",\n\u00a0 \u00a0 \"supplicantClass\": \"\",\n\u00a0 \u00a0 \"filterId\": \"\",\n\u00a0 \u00a0 \"framedIpAddress\": \"0.0.0.0\",\n\u00a0 \u00a0 \"framedIpAddrSource\": \"sourceNone\",\n    \"nasFilterRules\":  [\n\u00a0 \u00a0 \u00a0 \u00a0 \"deny in ip from 10.1.0.0/16 to 20.1.0.0/16\",\n\u00a0 \u00a0 \u00a0 \u00a0 \"permit in ip from 11.0.0.0/8 to 12.0.0.0/8\",\n\u00a0 \u00a0 \u00a0 \u00a0 \"permit tcp any any eq 80\", \n\u00a0 \u00a0 \u00a0 \u00a0 \"permit tcp any any eq 443\",\n\u00a0 \u00a0 \u00a0 \u00a0 \u201cdeny ip host 192.168.1.100\"\n    ],\n\u00a0 \u00a0 \"sessionTimeout\": 0,\n\u00a0 \u00a0 \"terminationAction\": \"\",\n\u00a0 \u00a0 \"tunnelPrivateGroupId\": \"\",\n\u00a0 \u00a0 \"aristaPeriodicIdentity\": \"\",\n\u00a0 \u00a0 \"cachedAuthAtLinkDown\": false,\n\u00a0 \u00a0 \"reauthTimeoutSeen\": false,\n\u00a0 \u00a0 \"sessionCached\": false,\n\u00a0 \u00a0 \"detail_\": true\n}\n\n\n\u00a0\n\nThe above example is before ASU. Note that the \u201cnasFilterRules\u201d has 5 rules in it.\n\nWhen ASU is performed:\n\nswitch#show dot1x hosts mac 0001.0203.0405 detail | json\n{\n\u00a0 \u00a0 \"supplicantMac\": \"00:01:02:03:04:05\",\n\u00a0 \u00a0 \"identity\": \"user3\",\n\u00a0 \u00a0 \"interface\": \"Ethernet3/47\",\n\u00a0 \u00a0 \"authMethod\": \"EAPOL\",\n\u00a0 \u00a0 \"authStage\": \"SUCCESS\",\n\u00a0 \u00a0 \"fallback\": \"NONE\",\n\u00a0 \u00a0 \"callingStationId\": \"00-01-02-03-04-05\",\n\u00a0 \u00a0 \"reauthBehavior\": \"DO-NOT-RE-AUTH\",\n\u00a0 \u00a0 \"reauthInterval\": 0,\n\u00a0 \u00a0 \"cacheConfTime\": 0,\n\u00a0 \u00a0 \"vlanId\": \"202\",\n\u00a0 \u00a0 \"accountingSessionId\": \"\",\n\u00a0 \u00a0 \"captivePortal\": \"\",\n\u00a0 \u00a0 \"captivePortalSource\": \"\",\n\u00a0 \u00a0 \"aristaWebAuth\": \"\",\n\u00a0 \u00a0 \"supplicantClass\": \"\",\n\u00a0 \u00a0 \"filterId\": \"\",\n\u00a0 \u00a0 \"framedIpAddress\": \"0.0.0.0\",\n\u00a0 \u00a0 \"framedIpAddrSource\": \"sourceNone\",\n     \"nasFilterRules\": [\n\u00a0 \u00a0 \u00a0 \u00a0 \"deny in ip from 10.1.0.0/16 to 20.1.0.0/16\"\n    ],\n\u00a0 \u00a0 \"sessionTimeout\": 0,\n\u00a0 \u00a0 \"terminationAction\": \"\",\n\u00a0 \u00a0 \"tunnelPrivateGroupId\": \"\",\n\u00a0 \u00a0 \"aristaPeriodicIdentity\": \"\",\n\u00a0 \u00a0 \"cachedAuthAtLinkDown\": false,\n\u00a0 \u00a0 \"reauthTimeoutSeen\": false,\n\u00a0 \u00a0 \"sessionCached\": false,\n\u00a0 \u00a0 \"detail_\": true\n}\n\n\nThe above example is after ASU. Note the nasFilterRule is now only one line. \n\nNote: This symptom is not present when a non-ASU upgrade (i.e. standard reboot) takes place."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eOn affected platforms running Arista EOS with 802.1X configured, certain conditions may occur where a dynamic ACL is received from the AAA server resulting in only the first line of the ACL being installed after an Accelerated Software Upgrade (ASU) restart. \u003c/p\u003e\u003cp\u003eNote: supplicants with pending captive-portal authentication during ASU would be impacted with this bug.\u003c/p\u003e"
            }
          ],
          "value": "On affected platforms running Arista EOS with 802.1X configured, certain conditions may occur where a dynamic ACL is received from the AAA server resulting in only the first line of the ACL being installed after an Accelerated Software Upgrade (ASU) restart. \n\nNote: supplicants with pending captive-portal authentication during ASU would be impacted with this bug."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-115",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-115 Authentication Bypass"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1284",
              "description": "CWE-1284 Improper Validation of Specified Quantity in Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-04T20:20:53.517Z",
        "orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
        "shortName": "Arista"
      },
      "references": [
        {
          "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/21086-security-advisory-0109"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e. \u003c/p\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eCVE-2024-8000 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.33.0M and above\u003c/li\u003e\u003cli\u003e4.32.5M and above releases in the 4.32.x train\u003c/li\u003e\u003cli\u003e4.31.6M and above releases in the 4.31.x train\u003c/li\u003e\u003cli\u003e4.30.9M and above releases in the 4.30.x train\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e"
            }
          ],
          "value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see  EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades . \n\n\u00a0\n\nCVE-2024-8000 has been fixed in the following releases:\n\n  *  4.33.0M and above\n  *  4.32.5M and above releases in the 4.32.x train\n  *  4.31.6M and above releases in the 4.31.x train\n  *  4.30.9M and above releases in the 4.30.x train"
        }
      ],
      "source": {
        "advisory": "109",
        "defect": [
          "989881"
        ],
        "discovery": "INTERNAL"
      },
      "title": "On affected platforms running Arista EOS with 802.1X configured, certain conditions may occur where a dynamic ACL is received from the AAA server resulting in only the first line of the ACL being installed after an Accelerated Software Upgrade (ASU) restar",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe workaround is to re-authenticate each supplicant. This can be done by running the command \u201c\u003cb\u003edot1x re-authenticate\u003c/b\u003e\u201d on the interface post ASU. Alternatively, if the reauthentication timer is enabled, the ACL will be correctly reprogrammed once the timer has expired and re-authentication occurs. \u003c/p\u003e\u003cpre\u003eswitch(Ethernet 1)#dot1x re-authenticate\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eAlternatively, flapping the interface will trigger reauthentication of the supplicants and correct the ACL which is installed for each mac on that interface.\u003c/p\u003e\u003cpre\u003eswitch(Ethernet 1)#shut\nswitch(Ethernet 1)#no shut\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIn both cases mentioned, we can verify that reauth has been triggered by checking the output of `\u003cb\u003eshow logging\u003c/b\u003e` to show the supplicant has been successfully authenticated and `\u003cb\u003eshow ip access-lists\u003c/b\u003e` to verify the ACL is installed correctly. \u003c/p\u003e\u003cpre\u003eswitch(Ethernet 1)#show logging\nAug 24 07:12:05 switch Dot1x: DOT1X-6-SUPPLICANT_AUTHENTICATED: Supplicant with identity 00:01:02:03:04:05, MAC 0001.0203.0405 and dynamic VLAN None successfully authenticated on port Ethernet1.\n  \nswitch#show ip access-lists\nPhone ACL bypass: disabled\nIP Access List 802.1x-3212953518000 [dynamic]\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 10 deny ip 10.1.0.0/16 20.1.0.0/16\n     \u0026nbsp; \u0026nbsp;20 permit ip from 11.0.0.0/8 to 12.0.0.0/8\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 30 permit tcp any any eq 80\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 40 permit tcp any any eq 443\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 50 deny ip host 192.168.1.100\n  \n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Total rules configured: 5\n  \nswitch#show dot1x hosts mac 0001.203.0405 detail | json\n{\n\u0026nbsp; \u0026nbsp; \"supplicantMac\": \"00:01:02:03:04:05\",\n\u0026nbsp; \u0026nbsp; \"identity\": \"user3\",\n\u0026nbsp; \u0026nbsp; \"interface\": \"Ethernet3/47\",\n\u0026nbsp; \u0026nbsp; \"authMethod\": \"EAPOL\",\n\u0026nbsp; \u0026nbsp; \"authStage\": \"SUCCESS\",\n\u0026nbsp; \u0026nbsp; \"fallback\": \"NONE\",\n\u0026nbsp; \u0026nbsp; \"callingStationId\": \"00:01:02:03:04:05\",\n\u0026nbsp; \u0026nbsp; \"reauthBehavior\": \"DO-NOT-RE-AUTH\",\n\u0026nbsp; \u0026nbsp; \"reauthInterval\": 0,\n\u0026nbsp; \u0026nbsp; \"cacheConfTime\": 0,\n\u0026nbsp; \u0026nbsp; \"vlanId\": \"202\",\n\u0026nbsp; \u0026nbsp; \"accountingSessionId\": \"\",\n\u0026nbsp; \u0026nbsp; \"captivePortal\": \"\",\n\u0026nbsp; \u0026nbsp; \"captivePortalSource\": \"\",\n\u0026nbsp; \u0026nbsp; \"aristaWebAuth\": \"\",\n\u0026nbsp; \u0026nbsp; \"supplicantClass\": \"\",\n\u0026nbsp; \u0026nbsp; \"filterId\": \"\",\n\u0026nbsp; \u0026nbsp; \"framedIpAddress\": \"0.0.0.0\",\n\u0026nbsp; \u0026nbsp; \"framedIpAddrSource\": \"sourceNone\",\n\u0026nbsp; \u0026nbsp; \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003e\"nasFilterRules\": [\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \"deny in ip from 10.1.0.0/16 to 20.1.0.0/16\",\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \"permit in ip from 11.0.0.0/8 to 12.0.0.0/8\",\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \"permit tcp any any eq 80\",\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \"permit tcp any any eq 443\",\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u201cdeny ip host 192.168.1.100\"\n\u0026nbsp; \u0026nbsp; ],\u003c/span\u003e\n\u0026nbsp; \u0026nbsp; \"sessionTimeout\": 0,\n\u0026nbsp; \u0026nbsp; \"terminationAction\": \"\",\n\u0026nbsp; \u0026nbsp; \"tunnelPrivateGroupId\": \"\",\n\u0026nbsp; \u0026nbsp; \"aristaPeriodicIdentity\": \"\",\n\u0026nbsp; \u0026nbsp; \"cachedAuthAtLinkDown\": false,\n\u0026nbsp; \u0026nbsp; \"reauthTimeoutSeen\": false,\n\u0026nbsp; \u0026nbsp; \"sessionCached\": false,\n\u0026nbsp; \u0026nbsp; \"detail_\": true\n}\u003c/pre\u003e\u003cp\u003eIn the above example the supplicant has been re-authenticated and the nasFilterRules shows 5 rules, as before.\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "The workaround is to re-authenticate each supplicant. This can be done by running the command \u201cdot1x re-authenticate\u201d on the interface post ASU. Alternatively, if the reauthentication timer is enabled, the ACL will be correctly reprogrammed once the timer has expired and re-authentication occurs. \n\nswitch(Ethernet 1)#dot1x re-authenticate\n\n\n\u00a0\n\nAlternatively, flapping the interface will trigger reauthentication of the supplicants and correct the ACL which is installed for each mac on that interface.\n\nswitch(Ethernet 1)#shut\nswitch(Ethernet 1)#no shut\n\n\n\u00a0\n\nIn both cases mentioned, we can verify that reauth has been triggered by checking the output of `show logging` to show the supplicant has been successfully authenticated and `show ip access-lists` to verify the ACL is installed correctly. \n\nswitch(Ethernet 1)#show logging\nAug 24 07:12:05 switch Dot1x: DOT1X-6-SUPPLICANT_AUTHENTICATED: Supplicant with identity 00:01:02:03:04:05, MAC 0001.0203.0405 and dynamic VLAN None successfully authenticated on port Ethernet1.\n  \nswitch#show ip access-lists\nPhone ACL bypass: disabled\nIP Access List 802.1x-3212953518000 [dynamic]\n\u00a0 \u00a0 \u00a0 \u00a0 10 deny ip 10.1.0.0/16 20.1.0.0/16\n     \u00a0 \u00a020 permit ip from 11.0.0.0/8 to 12.0.0.0/8\n\u00a0 \u00a0 \u00a0 \u00a0 30 permit tcp any any eq 80\n\u00a0 \u00a0 \u00a0 \u00a0 40 permit tcp any any eq 443\n\u00a0 \u00a0 \u00a0 \u00a0 50 deny ip host 192.168.1.100\n  \n\u00a0 \u00a0 \u00a0 \u00a0 Total rules configured: 5\n  \nswitch#show dot1x hosts mac 0001.203.0405 detail | json\n{\n\u00a0 \u00a0 \"supplicantMac\": \"00:01:02:03:04:05\",\n\u00a0 \u00a0 \"identity\": \"user3\",\n\u00a0 \u00a0 \"interface\": \"Ethernet3/47\",\n\u00a0 \u00a0 \"authMethod\": \"EAPOL\",\n\u00a0 \u00a0 \"authStage\": \"SUCCESS\",\n\u00a0 \u00a0 \"fallback\": \"NONE\",\n\u00a0 \u00a0 \"callingStationId\": \"00:01:02:03:04:05\",\n\u00a0 \u00a0 \"reauthBehavior\": \"DO-NOT-RE-AUTH\",\n\u00a0 \u00a0 \"reauthInterval\": 0,\n\u00a0 \u00a0 \"cacheConfTime\": 0,\n\u00a0 \u00a0 \"vlanId\": \"202\",\n\u00a0 \u00a0 \"accountingSessionId\": \"\",\n\u00a0 \u00a0 \"captivePortal\": \"\",\n\u00a0 \u00a0 \"captivePortalSource\": \"\",\n\u00a0 \u00a0 \"aristaWebAuth\": \"\",\n\u00a0 \u00a0 \"supplicantClass\": \"\",\n\u00a0 \u00a0 \"filterId\": \"\",\n\u00a0 \u00a0 \"framedIpAddress\": \"0.0.0.0\",\n\u00a0 \u00a0 \"framedIpAddrSource\": \"sourceNone\",\n\u00a0 \u00a0 \"nasFilterRules\": [\n\u00a0 \u00a0 \u00a0 \u00a0 \"deny in ip from 10.1.0.0/16 to 20.1.0.0/16\",\n\u00a0 \u00a0 \u00a0 \u00a0 \"permit in ip from 11.0.0.0/8 to 12.0.0.0/8\",\n\u00a0 \u00a0 \u00a0 \u00a0 \"permit tcp any any eq 80\",\n\u00a0 \u00a0 \u00a0 \u00a0 \"permit tcp any any eq 443\",\n\u00a0 \u00a0 \u00a0 \u00a0 \u201cdeny ip host 192.168.1.100\"\n\u00a0 \u00a0 ],\n\u00a0 \u00a0 \"sessionTimeout\": 0,\n\u00a0 \u00a0 \"terminationAction\": \"\",\n\u00a0 \u00a0 \"tunnelPrivateGroupId\": \"\",\n\u00a0 \u00a0 \"aristaPeriodicIdentity\": \"\",\n\u00a0 \u00a0 \"cachedAuthAtLinkDown\": false,\n\u00a0 \u00a0 \"reauthTimeoutSeen\": false,\n\u00a0 \u00a0 \"sessionCached\": false,\n\u00a0 \u00a0 \"detail_\": true\n}\n\nIn the above example the supplicant has been re-authenticated and the nasFilterRules shows 5 rules, as before."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
    "assignerShortName": "Arista",
    "cveId": "CVE-2024-8000",
    "datePublished": "2025-03-04T20:20:53.517Z",
    "dateReserved": "2024-08-19T23:25:41.372Z",
    "dateUpdated": "2025-03-04T20:33:37.805Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-8000\",\"sourceIdentifier\":\"psirt@arista.com\",\"published\":\"2025-03-04T21:15:12.220\",\"lastModified\":\"2025-03-04T21:15:12.220\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"On affected platforms running Arista EOS with 802.1X configured, certain conditions may occur where a dynamic ACL is received from the AAA server resulting in only the first line of the ACL being installed after an Accelerated Software Upgrade (ASU) restart. \\n\\nNote: supplicants with pending captive-portal authentication during ASU would be impacted with this bug.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@arista.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"psirt@arista.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1284\"}]}],\"references\":[{\"url\":\"https://www.arista.com/en/support/advisories-notices/security-advisory/21086-security-advisory-0109\",\"source\":\"psirt@arista.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-8000\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-04T20:33:23.880423Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-04T20:33:31.194Z\"}}], \"cna\": {\"title\": \"On affected platforms running Arista EOS with 802.1X configured, certain conditions may occur where a dynamic ACL is received from the AAA server resulting in only the first line of the ACL being installed after an Accelerated Software Upgrade (ASU) restar\", \"source\": {\"defect\": [\"989881\"], \"advisory\": \"109\", \"discovery\": \"INTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-115\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-115 Authentication Bypass\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Arista Networks\", \"product\": \"EOS\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.32.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.32.4M\"}, {\"status\": \"affected\", \"version\": \"4.31.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.31.5M\"}, {\"status\": \"affected\", \"version\": \"4.30.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.30.8M\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see  EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades . \\n\\n\\u00a0\\n\\nCVE-2024-8000 has been fixed in the following releases:\\n\\n  *  4.33.0M and above\\n  *  4.32.5M and above releases in the 4.32.x train\\n  *  4.31.6M and above releases in the 4.31.x train\\n  *  4.30.9M and above releases in the 4.30.x train\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\\\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e. \u003c/p\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eCVE-2024-8000 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.33.0M and above\u003c/li\u003e\u003cli\u003e4.32.5M and above releases in the 4.32.x train\u003c/li\u003e\u003cli\u003e4.31.6M and above releases in the 4.31.x train\u003c/li\u003e\u003cli\u003e4.30.9M and above releases in the 4.30.x train\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.arista.com/en/support/advisories-notices/security-advisory/21086-security-advisory-0109\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"The workaround is to re-authenticate each supplicant. This can be done by running the command \\u201cdot1x re-authenticate\\u201d on the interface post ASU. Alternatively, if the reauthentication timer is enabled, the ACL will be correctly reprogrammed once the timer has expired and re-authentication occurs. \\n\\nswitch(Ethernet 1)#dot1x re-authenticate\\n\\n\\n\\u00a0\\n\\nAlternatively, flapping the interface will trigger reauthentication of the supplicants and correct the ACL which is installed for each mac on that interface.\\n\\nswitch(Ethernet 1)#shut\\nswitch(Ethernet 1)#no shut\\n\\n\\n\\u00a0\\n\\nIn both cases mentioned, we can verify that reauth has been triggered by checking the output of `show logging` to show the supplicant has been successfully authenticated and `show ip access-lists` to verify the ACL is installed correctly. \\n\\nswitch(Ethernet 1)#show logging\\nAug 24 07:12:05 switch Dot1x: DOT1X-6-SUPPLICANT_AUTHENTICATED: Supplicant with identity 00:01:02:03:04:05, MAC 0001.0203.0405 and dynamic VLAN None successfully authenticated on port Ethernet1.\\n  \\nswitch#show ip access-lists\\nPhone ACL bypass: disabled\\nIP Access List 802.1x-3212953518000 [dynamic]\\n\\u00a0 \\u00a0 \\u00a0 \\u00a0 10 deny ip 10.1.0.0/16 20.1.0.0/16\\n     \\u00a0 \\u00a020 permit ip from 11.0.0.0/8 to 12.0.0.0/8\\n\\u00a0 \\u00a0 \\u00a0 \\u00a0 30 permit tcp any any eq 80\\n\\u00a0 \\u00a0 \\u00a0 \\u00a0 40 permit tcp any any eq 443\\n\\u00a0 \\u00a0 \\u00a0 \\u00a0 50 deny ip host 192.168.1.100\\n  \\n\\u00a0 \\u00a0 \\u00a0 \\u00a0 Total rules configured: 5\\n  \\nswitch#show dot1x hosts mac 0001.203.0405 detail | json\\n{\\n\\u00a0 \\u00a0 \\\"supplicantMac\\\": \\\"00:01:02:03:04:05\\\",\\n\\u00a0 \\u00a0 \\\"identity\\\": \\\"user3\\\",\\n\\u00a0 \\u00a0 \\\"interface\\\": \\\"Ethernet3/47\\\",\\n\\u00a0 \\u00a0 \\\"authMethod\\\": \\\"EAPOL\\\",\\n\\u00a0 \\u00a0 \\\"authStage\\\": \\\"SUCCESS\\\",\\n\\u00a0 \\u00a0 \\\"fallback\\\": \\\"NONE\\\",\\n\\u00a0 \\u00a0 \\\"callingStationId\\\": \\\"00:01:02:03:04:05\\\",\\n\\u00a0 \\u00a0 \\\"reauthBehavior\\\": \\\"DO-NOT-RE-AUTH\\\",\\n\\u00a0 \\u00a0 \\\"reauthInterval\\\": 0,\\n\\u00a0 \\u00a0 \\\"cacheConfTime\\\": 0,\\n\\u00a0 \\u00a0 \\\"vlanId\\\": \\\"202\\\",\\n\\u00a0 \\u00a0 \\\"accountingSessionId\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"captivePortal\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"captivePortalSource\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"aristaWebAuth\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"supplicantClass\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"filterId\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"framedIpAddress\\\": \\\"0.0.0.0\\\",\\n\\u00a0 \\u00a0 \\\"framedIpAddrSource\\\": \\\"sourceNone\\\",\\n\\u00a0 \\u00a0 \\\"nasFilterRules\\\": [\\n\\u00a0 \\u00a0 \\u00a0 \\u00a0 \\\"deny in ip from 10.1.0.0/16 to 20.1.0.0/16\\\",\\n\\u00a0 \\u00a0 \\u00a0 \\u00a0 \\\"permit in ip from 11.0.0.0/8 to 12.0.0.0/8\\\",\\n\\u00a0 \\u00a0 \\u00a0 \\u00a0 \\\"permit tcp any any eq 80\\\",\\n\\u00a0 \\u00a0 \\u00a0 \\u00a0 \\\"permit tcp any any eq 443\\\",\\n\\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u201cdeny ip host 192.168.1.100\\\"\\n\\u00a0 \\u00a0 ],\\n\\u00a0 \\u00a0 \\\"sessionTimeout\\\": 0,\\n\\u00a0 \\u00a0 \\\"terminationAction\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"tunnelPrivateGroupId\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"aristaPeriodicIdentity\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"cachedAuthAtLinkDown\\\": false,\\n\\u00a0 \\u00a0 \\\"reauthTimeoutSeen\\\": false,\\n\\u00a0 \\u00a0 \\\"sessionCached\\\": false,\\n\\u00a0 \\u00a0 \\\"detail_\\\": true\\n}\\n\\nIn the above example the supplicant has been re-authenticated and the nasFilterRules shows 5 rules, as before.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThe workaround is to re-authenticate each supplicant. This can be done by running the command \\u201c\u003cb\u003edot1x re-authenticate\u003c/b\u003e\\u201d on the interface post ASU. Alternatively, if the reauthentication timer is enabled, the ACL will be correctly reprogrammed once the timer has expired and re-authentication occurs. \u003c/p\u003e\u003cpre\u003eswitch(Ethernet 1)#dot1x re-authenticate\\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eAlternatively, flapping the interface will trigger reauthentication of the supplicants and correct the ACL which is installed for each mac on that interface.\u003c/p\u003e\u003cpre\u003eswitch(Ethernet 1)#shut\\nswitch(Ethernet 1)#no shut\\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIn both cases mentioned, we can verify that reauth has been triggered by checking the output of `\u003cb\u003eshow logging\u003c/b\u003e` to show the supplicant has been successfully authenticated and `\u003cb\u003eshow ip access-lists\u003c/b\u003e` to verify the ACL is installed correctly. \u003c/p\u003e\u003cpre\u003eswitch(Ethernet 1)#show logging\\nAug 24 07:12:05 switch Dot1x: DOT1X-6-SUPPLICANT_AUTHENTICATED: Supplicant with identity 00:01:02:03:04:05, MAC 0001.0203.0405 and dynamic VLAN None successfully authenticated on port Ethernet1.\\n  \\nswitch#show ip access-lists\\nPhone ACL bypass: disabled\\nIP Access List 802.1x-3212953518000 [dynamic]\\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 10 deny ip 10.1.0.0/16 20.1.0.0/16\\n     \u0026nbsp; \u0026nbsp;20 permit ip from 11.0.0.0/8 to 12.0.0.0/8\\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 30 permit tcp any any eq 80\\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 40 permit tcp any any eq 443\\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 50 deny ip host 192.168.1.100\\n  \\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Total rules configured: 5\\n  \\nswitch#show dot1x hosts mac 0001.203.0405 detail | json\\n{\\n\u0026nbsp; \u0026nbsp; \\\"supplicantMac\\\": \\\"00:01:02:03:04:05\\\",\\n\u0026nbsp; \u0026nbsp; \\\"identity\\\": \\\"user3\\\",\\n\u0026nbsp; \u0026nbsp; \\\"interface\\\": \\\"Ethernet3/47\\\",\\n\u0026nbsp; \u0026nbsp; \\\"authMethod\\\": \\\"EAPOL\\\",\\n\u0026nbsp; \u0026nbsp; \\\"authStage\\\": \\\"SUCCESS\\\",\\n\u0026nbsp; \u0026nbsp; \\\"fallback\\\": \\\"NONE\\\",\\n\u0026nbsp; \u0026nbsp; \\\"callingStationId\\\": \\\"00:01:02:03:04:05\\\",\\n\u0026nbsp; \u0026nbsp; \\\"reauthBehavior\\\": \\\"DO-NOT-RE-AUTH\\\",\\n\u0026nbsp; \u0026nbsp; \\\"reauthInterval\\\": 0,\\n\u0026nbsp; \u0026nbsp; \\\"cacheConfTime\\\": 0,\\n\u0026nbsp; \u0026nbsp; \\\"vlanId\\\": \\\"202\\\",\\n\u0026nbsp; \u0026nbsp; \\\"accountingSessionId\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"captivePortal\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"captivePortalSource\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"aristaWebAuth\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"supplicantClass\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"filterId\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"framedIpAddress\\\": \\\"0.0.0.0\\\",\\n\u0026nbsp; \u0026nbsp; \\\"framedIpAddrSource\\\": \\\"sourceNone\\\",\\n\u0026nbsp; \u0026nbsp; \u003cspan style=\\\"background-color: rgb(255, 255, 0);\\\"\u003e\\\"nasFilterRules\\\": [\\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \\\"deny in ip from 10.1.0.0/16 to 20.1.0.0/16\\\",\\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \\\"permit in ip from 11.0.0.0/8 to 12.0.0.0/8\\\",\\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \\\"permit tcp any any eq 80\\\",\\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \\\"permit tcp any any eq 443\\\",\\n\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \\u201cdeny ip host 192.168.1.100\\\"\\n\u0026nbsp; \u0026nbsp; ],\u003c/span\u003e\\n\u0026nbsp; \u0026nbsp; \\\"sessionTimeout\\\": 0,\\n\u0026nbsp; \u0026nbsp; \\\"terminationAction\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"tunnelPrivateGroupId\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"aristaPeriodicIdentity\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"cachedAuthAtLinkDown\\\": false,\\n\u0026nbsp; \u0026nbsp; \\\"reauthTimeoutSeen\\\": false,\\n\u0026nbsp; \u0026nbsp; \\\"sessionCached\\\": false,\\n\u0026nbsp; \u0026nbsp; \\\"detail_\\\": true\\n}\u003c/pre\u003e\u003cp\u003eIn the above example the supplicant has been re-authenticated and the nasFilterRules shows 5 rules, as before.\u003c/p\u003e\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"On affected platforms running Arista EOS with 802.1X configured, certain conditions may occur where a dynamic ACL is received from the AAA server resulting in only the first line of the ACL being installed after an Accelerated Software Upgrade (ASU) restart. \\n\\nNote: supplicants with pending captive-portal authentication during ASU would be impacted with this bug.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eOn affected platforms running Arista EOS with 802.1X configured, certain conditions may occur where a dynamic ACL is received from the AAA server resulting in only the first line of the ACL being installed after an Accelerated Software Upgrade (ASU) restart. \u003c/p\u003e\u003cp\u003eNote: supplicants with pending captive-portal authentication during ASU would be impacted with this bug.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1284\", \"description\": \"CWE-1284 Improper Validation of Specified Quantity in Input\"}]}], \"configurations\": [{\"lang\": \"en\", \"value\": \"In order to be vulnerable to CVE-2024-8000, the following three conditions must be met:\\n\\n  *  802.1X must be configured.\\u00a0\\n\\n\\n  *  The customer must have an external AAA server configured which sends a multi-line dynamic ACL.\\u00a0\\n\\n\\n  *  ASU must have occurred ( more information about the upgrade process can be found here at  Upgrades and Downgrades - Arista https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \\u00a0). The version being upgraded from is an affected software version, and the version being upgraded to is an affected software version as listed above. \\nThe below example shows an example of this issue before and after ASU:\\n\\nswitch#show dot1x hosts mac 0001.0203.0405 detail | json\\n{\\n\\u00a0 \\u00a0 \\\"supplicantMac\\\": \\\"00:01:02:03:04:05\\\",\\n\\u00a0 \\u00a0 \\\"identity\\\": \\\"user3\\\",\\n\\u00a0 \\u00a0 \\\"interface\\\": \\\"Ethernet3/47\\\",\\n\\u00a0 \\u00a0 \\\"authMethod\\\": \\\"EAPOL\\\",\\n\\u00a0 \\u00a0 \\\"authStage\\\": \\\"SUCCESS\\\",\\n\\u00a0 \\u00a0 \\\"fallback\\\": \\\"NONE\\\",\\n\\u00a0 \\u00a0 \\\"callingStationId\\\": \\\"00-01-02-03-04-05\\\",\\n\\u00a0 \\u00a0 \\\"reauthBehavior\\\": \\\"DO-NOT-RE-AUTH\\\",\\n\\u00a0 \\u00a0 \\\"reauthInterval\\\": 0,\\n\\u00a0 \\u00a0 \\\"cacheConfTime\\\": 0,\\n\\u00a0 \\u00a0 \\\"vlanId\\\": \\\"202\\\",\\n\\u00a0 \\u00a0 \\\"accountingSessionId\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"captivePortal\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"captivePortalSource\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"aristaWebAuth\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"supplicantClass\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"filterId\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"framedIpAddress\\\": \\\"0.0.0.0\\\",\\n\\u00a0 \\u00a0 \\\"framedIpAddrSource\\\": \\\"sourceNone\\\",\\n    \\\"nasFilterRules\\\":  [\\n\\u00a0 \\u00a0 \\u00a0 \\u00a0 \\\"deny in ip from 10.1.0.0/16 to 20.1.0.0/16\\\",\\n\\u00a0 \\u00a0 \\u00a0 \\u00a0 \\\"permit in ip from 11.0.0.0/8 to 12.0.0.0/8\\\",\\n\\u00a0 \\u00a0 \\u00a0 \\u00a0 \\\"permit tcp any any eq 80\\\", \\n\\u00a0 \\u00a0 \\u00a0 \\u00a0 \\\"permit tcp any any eq 443\\\",\\n\\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u201cdeny ip host 192.168.1.100\\\"\\n    ],\\n\\u00a0 \\u00a0 \\\"sessionTimeout\\\": 0,\\n\\u00a0 \\u00a0 \\\"terminationAction\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"tunnelPrivateGroupId\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"aristaPeriodicIdentity\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"cachedAuthAtLinkDown\\\": false,\\n\\u00a0 \\u00a0 \\\"reauthTimeoutSeen\\\": false,\\n\\u00a0 \\u00a0 \\\"sessionCached\\\": false,\\n\\u00a0 \\u00a0 \\\"detail_\\\": true\\n}\\n\\n\\n\\u00a0\\n\\nThe above example is before ASU. Note that the \\u201cnasFilterRules\\u201d has 5 rules in it.\\n\\nWhen ASU is performed:\\n\\nswitch#show dot1x hosts mac 0001.0203.0405 detail | json\\n{\\n\\u00a0 \\u00a0 \\\"supplicantMac\\\": \\\"00:01:02:03:04:05\\\",\\n\\u00a0 \\u00a0 \\\"identity\\\": \\\"user3\\\",\\n\\u00a0 \\u00a0 \\\"interface\\\": \\\"Ethernet3/47\\\",\\n\\u00a0 \\u00a0 \\\"authMethod\\\": \\\"EAPOL\\\",\\n\\u00a0 \\u00a0 \\\"authStage\\\": \\\"SUCCESS\\\",\\n\\u00a0 \\u00a0 \\\"fallback\\\": \\\"NONE\\\",\\n\\u00a0 \\u00a0 \\\"callingStationId\\\": \\\"00-01-02-03-04-05\\\",\\n\\u00a0 \\u00a0 \\\"reauthBehavior\\\": \\\"DO-NOT-RE-AUTH\\\",\\n\\u00a0 \\u00a0 \\\"reauthInterval\\\": 0,\\n\\u00a0 \\u00a0 \\\"cacheConfTime\\\": 0,\\n\\u00a0 \\u00a0 \\\"vlanId\\\": \\\"202\\\",\\n\\u00a0 \\u00a0 \\\"accountingSessionId\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"captivePortal\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"captivePortalSource\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"aristaWebAuth\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"supplicantClass\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"filterId\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"framedIpAddress\\\": \\\"0.0.0.0\\\",\\n\\u00a0 \\u00a0 \\\"framedIpAddrSource\\\": \\\"sourceNone\\\",\\n     \\\"nasFilterRules\\\": [\\n\\u00a0 \\u00a0 \\u00a0 \\u00a0 \\\"deny in ip from 10.1.0.0/16 to 20.1.0.0/16\\\"\\n    ],\\n\\u00a0 \\u00a0 \\\"sessionTimeout\\\": 0,\\n\\u00a0 \\u00a0 \\\"terminationAction\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"tunnelPrivateGroupId\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"aristaPeriodicIdentity\\\": \\\"\\\",\\n\\u00a0 \\u00a0 \\\"cachedAuthAtLinkDown\\\": false,\\n\\u00a0 \\u00a0 \\\"reauthTimeoutSeen\\\": false,\\n\\u00a0 \\u00a0 \\\"sessionCached\\\": false,\\n\\u00a0 \\u00a0 \\\"detail_\\\": true\\n}\\n\\n\\nThe above example is after ASU. Note the nasFilterRule is now only one line. \\n\\nNote: This symptom is not present when a non-ASU upgrade (i.e. standard reboot) takes place.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIn order to be vulnerable to CVE-2024-8000, the following three conditions must be met:\u003c/p\u003e\u003col\u003e\u003cli\u003e802.1X must be configured.\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003c/li\u003e\u003cli\u003eThe customer must have an external AAA server configured which sends a multi-line dynamic ACL.\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003c/li\u003e\u003cli\u003eASU must have occurred ( more information about the upgrade process can be found here at \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\\\"\u003eUpgrades and Downgrades - Arista\u003c/a\u003e\u0026nbsp;). The version being upgraded from is an affected software version, and the version being upgraded to is an affected software version as listed above. \u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThe below example shows an example of this issue before and after ASU:\u003c/p\u003e\u003cpre\u003eswitch#show dot1x hosts mac 0001.0203.0405 detail | json\\n{\\n\u0026nbsp; \u0026nbsp; \\\"supplicantMac\\\": \\\"00:01:02:03:04:05\\\",\\n\u0026nbsp; \u0026nbsp; \\\"identity\\\": \\\"user3\\\",\\n\u0026nbsp; \u0026nbsp; \\\"interface\\\": \\\"Ethernet3/47\\\",\\n\u0026nbsp; \u0026nbsp; \\\"authMethod\\\": \\\"EAPOL\\\",\\n\u0026nbsp; \u0026nbsp; \\\"authStage\\\": \\\"SUCCESS\\\",\\n\u0026nbsp; \u0026nbsp; \\\"fallback\\\": \\\"NONE\\\",\\n\u0026nbsp; \u0026nbsp; \\\"callingStationId\\\": \\\"00-01-02-03-04-05\\\",\\n\u0026nbsp; \u0026nbsp; \\\"reauthBehavior\\\": \\\"DO-NOT-RE-AUTH\\\",\\n\u0026nbsp; \u0026nbsp; \\\"reauthInterval\\\": 0,\\n\u0026nbsp; \u0026nbsp; \\\"cacheConfTime\\\": 0,\\n\u0026nbsp; \u0026nbsp; \\\"vlanId\\\": \\\"202\\\",\\n\u0026nbsp; \u0026nbsp; \\\"accountingSessionId\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"captivePortal\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"captivePortalSource\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"aristaWebAuth\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"supplicantClass\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"filterId\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"framedIpAddress\\\": \\\"0.0.0.0\\\",\\n\u0026nbsp; \u0026nbsp; \\\"framedIpAddrSource\\\": \\\"sourceNone\\\",\\n    \u003cspan style=\\\"background-color: rgb(255, 255, 0);\\\"\u003e\u003cb\u003e\\\"nasFilterRules\\\":  [\u003c/b\u003e\\n\u003cb\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \\\"deny in ip from 10.1.0.0/16 to 20.1.0.0/16\\\",\u003c/b\u003e\\n\u003cb\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \\\"permit in ip from 11.0.0.0/8 to 12.0.0.0/8\\\",\u003c/b\u003e\\n\u003cb\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \\\"permit tcp any any eq 80\\\", \u003c/b\u003e\\n\u003cb\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \\\"permit tcp any any eq 443\\\",\u003c/b\u003e\\n\u003cb\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \\u201cdeny ip host 192.168.1.100\\\"\u003c/b\u003e\\n    \u003cb\u003e],\u003c/b\u003e\u003c/span\u003e\\n\u0026nbsp; \u0026nbsp; \\\"sessionTimeout\\\": 0,\\n\u0026nbsp; \u0026nbsp; \\\"terminationAction\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"tunnelPrivateGroupId\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"aristaPeriodicIdentity\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"cachedAuthAtLinkDown\\\": false,\\n\u0026nbsp; \u0026nbsp; \\\"reauthTimeoutSeen\\\": false,\\n\u0026nbsp; \u0026nbsp; \\\"sessionCached\\\": false,\\n\u0026nbsp; \u0026nbsp; \\\"detail_\\\": true\\n}\\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eThe above example is before ASU. Note that the \\u201cnasFilterRules\\u201d has 5 rules in it.\u003c/p\u003e\u003cp\u003eWhen ASU is performed:\u003c/p\u003e\u003cpre\u003eswitch#show dot1x hosts mac 0001.0203.0405 detail | json\\n{\\n\u0026nbsp; \u0026nbsp; \\\"supplicantMac\\\": \\\"00:01:02:03:04:05\\\",\\n\u0026nbsp; \u0026nbsp; \\\"identity\\\": \\\"user3\\\",\\n\u0026nbsp; \u0026nbsp; \\\"interface\\\": \\\"Ethernet3/47\\\",\\n\u0026nbsp; \u0026nbsp; \\\"authMethod\\\": \\\"EAPOL\\\",\\n\u0026nbsp; \u0026nbsp; \\\"authStage\\\": \\\"SUCCESS\\\",\\n\u0026nbsp; \u0026nbsp; \\\"fallback\\\": \\\"NONE\\\",\\n\u0026nbsp; \u0026nbsp; \\\"callingStationId\\\": \\\"00-01-02-03-04-05\\\",\\n\u0026nbsp; \u0026nbsp; \\\"reauthBehavior\\\": \\\"DO-NOT-RE-AUTH\\\",\\n\u0026nbsp; \u0026nbsp; \\\"reauthInterval\\\": 0,\\n\u0026nbsp; \u0026nbsp; \\\"cacheConfTime\\\": 0,\\n\u0026nbsp; \u0026nbsp; \\\"vlanId\\\": \\\"202\\\",\\n\u0026nbsp; \u0026nbsp; \\\"accountingSessionId\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"captivePortal\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"captivePortalSource\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"aristaWebAuth\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"supplicantClass\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"filterId\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"framedIpAddress\\\": \\\"0.0.0.0\\\",\\n\u0026nbsp; \u0026nbsp; \\\"framedIpAddrSource\\\": \\\"sourceNone\\\",\\n     \u003cspan style=\\\"background-color: rgb(255, 255, 0);\\\"\u003e\u003cb\u003e\\\"nasFilterRules\\\": [\u003c/b\u003e\\n\u003cb\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \\\"deny in ip from 10.1.0.0/16 to 20.1.0.0/16\\\"\u003c/b\u003e\\n    \u003cb\u003e],\u003c/b\u003e\u003c/span\u003e\\n\u0026nbsp; \u0026nbsp; \\\"sessionTimeout\\\": 0,\\n\u0026nbsp; \u0026nbsp; \\\"terminationAction\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"tunnelPrivateGroupId\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"aristaPeriodicIdentity\\\": \\\"\\\",\\n\u0026nbsp; \u0026nbsp; \\\"cachedAuthAtLinkDown\\\": false,\\n\u0026nbsp; \u0026nbsp; \\\"reauthTimeoutSeen\\\": false,\\n\u0026nbsp; \u0026nbsp; \\\"sessionCached\\\": false,\\n\u0026nbsp; \u0026nbsp; \\\"detail_\\\": true\\n}\\n\u003c/pre\u003e\u003cp\u003eThe above example is after ASU. Note the nasFilterRule is now only one line. \u003c/p\u003e\u003cp\u003eNote: This symptom is not present when a non-ASU upgrade (i.e. standard reboot) takes place.\u003c/p\u003e\u003cbr\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7\", \"shortName\": \"Arista\", \"dateUpdated\": \"2025-03-04T20:20:53.517Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-8000\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-04T20:33:37.805Z\", \"dateReserved\": \"2024-08-19T23:25:41.372Z\", \"assignerOrgId\": \"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7\", \"datePublished\": \"2025-03-04T20:20:53.517Z\", \"assignerShortName\": \"Arista\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-8fjr-734h-7jj5

Vulnerability from github

Published

2025-03-04 21:30

Modified

2025-03-04 21:30

Severity ?

5.3 (Medium) - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

Note: supplicants with pending captive-portal authentication during ASU would be impacted with this bug.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-8000"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-04T21:15:12Z",
    "severity": "MODERATE"
  },
  "details": "On affected platforms running Arista EOS with 802.1X configured, certain conditions may occur where a dynamic ACL is received from the AAA server resulting in only the first line of the ACL being installed after an Accelerated Software Upgrade (ASU) restart. \n\nNote: supplicants with pending captive-portal authentication during ASU would be impacted with this bug.",
  "id": "GHSA-8fjr-734h-7jj5",
  "modified": "2025-03-04T21:30:58Z",
  "published": "2025-03-04T21:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8000"
    },
    {
      "type": "WEB",
      "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/21086-security-advisory-0109"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

fkie_cve-2024-8000

Vulnerability from fkie_nvd

Published

2025-03-04 21:15

Modified

2025-03-04 21:15

Severity ?

5.3 (Medium) - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

References

▼	URL	Tags
	psirt@arista.com	https://www.arista.com/en/support/advisories-notices/security-advisory/21086-security-advisory-0109

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "On affected platforms running Arista EOS with 802.1X configured, certain conditions may occur where a dynamic ACL is received from the AAA server resulting in only the first line of the ACL being installed after an Accelerated Software Upgrade (ASU) restart. \n\nNote: supplicants with pending captive-portal authentication during ASU would be impacted with this bug."
    },
    {
      "lang": "es",
      "value": "En las plataformas afectadas que ejecutan Arista EOS con 802.1X configurado, pueden ocurrir ciertas condiciones en las que se recibe una ACL din\u00e1mica del servidor AAA, lo que hace que solo se instale la primera l\u00ednea de la ACL despu\u00e9s de un reinicio de la Actualizaci\u00f3n de software acelerada (ASU). Nota: los solicitantes con autenticaci\u00f3n de portal cautivo pendiente durante la ASU se ver\u00edan afectados por este error."
    }
  ],
  "id": "CVE-2024-8000",
  "lastModified": "2025-03-04T21:15:12.220",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 3.6,
        "source": "psirt@arista.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-03-04T21:15:12.220",
  "references": [
    {
      "source": "psirt@arista.com",
      "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/21086-security-advisory-0109"
    }
  ],
  "sourceIdentifier": "psirt@arista.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1284"
        }
      ],
      "source": "psirt@arista.com",
      "type": "Secondary"
    }
  ]
}

wid-sec-w-2025-0074

Vulnerability from csaf_certbund

Published

2025-01-14 23:00

Modified

2025-01-14 23:00

Summary

Arista EOS: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Arista Extensible Operating System (EOS) ist ein modulares Linux basiertes Netzwerkbetriebssystem.

Angriff

Ein Angreifer aus einem angrenzenden Netzwerk kann eine Schwachstelle in Arista EOS ausnutzen, um Sicherheitsvorkehrungen zu umgehen.

Betroffene Betriebssysteme

- BIOS/Firmware - Hardware Appliance

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Arista Extensible Operating System (EOS) ist ein modulares Linux basiertes Netzwerkbetriebssystem.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer aus einem angrenzenden Netzwerk kann eine Schwachstelle in Arista EOS ausnutzen, um Sicherheitsvorkehrungen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- BIOS/Firmware\n- Hardware Appliance",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0074 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0074.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0074 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0074"
      },
      {
        "category": "external",
        "summary": "Arista Security Advisory 0109 vom 2025-01-14",
        "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/21086-security-advisory-0109"
      }
    ],
    "source_lang": "en-US",
    "title": "Arista EOS: Schwachstelle erm\u00f6glicht Umgehen von Sicherheitsvorkehrungen",
    "tracking": {
      "current_release_date": "2025-01-14T23:00:00.000+00:00",
      "generator": {
        "date": "2025-01-15T10:43:20.184+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.10"
        }
      },
      "id": "WID-SEC-W-2025-0074",
      "initial_release_date": "2025-01-14T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-01-14T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c4.30.8M",
                "product": {
                  "name": "Arista EOS \u003c4.30.8M",
                  "product_id": "T039307"
                }
              },
              {
                "category": "product_version",
                "name": "4.30.8M",
                "product": {
                  "name": "Arista EOS 4.30.8M",
                  "product_id": "T039307-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:arista:arista_eos:4.30.8m"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c4.32.5M",
                "product": {
                  "name": "Arista EOS \u003c4.32.5M",
                  "product_id": "T040225"
                }
              },
              {
                "category": "product_version",
                "name": "4.32.5M",
                "product": {
                  "name": "Arista EOS 4.32.5M",
                  "product_id": "T040225-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:arista:arista_eos:4.32.5m"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c4.31.5M",
                "product": {
                  "name": "Arista EOS \u003c4.31.5M",
                  "product_id": "T040226"
                }
              },
              {
                "category": "product_version",
                "name": "4.31.5M",
                "product": {
                  "name": "Arista EOS 4.31.5M",
                  "product_id": "T040226-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:arista:arista_eos:4.31.5m"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "EOS"
          }
        ],
        "category": "vendor",
        "name": "Arista"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-8000",
      "notes": [
        {
          "category": "description",
          "text": "Es gibt eine Schwachstelle in Arista EOS, wenn 802.1X konfiguriert ist und bestimmte Bedingungen gelten. Beim Neustart nach einem \u201eAccelerated Software Upgrade\u201c (ASU) wird eine dynamische ACL vom AAA-Server empfangen, aber nur die erste Zeile der ACL wird installiert. Ein Angreifer aus einem angrenzenden Netzwerk kann dies ausnutzen, um auf ein Netzwerk zuzugreifen, das eigentlich blockiert werden sollte. Dies schlie\u00dft auch Captive-Portal-Konfigurationen ein."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039307",
          "T040226",
          "T040225"
        ]
      },
      "release_date": "2025-01-14T23:00:00.000+00:00",
      "title": "CVE-2024-8000"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-8000 (GCVE-0-2024-8000)

Vulnerability from cvelistv5

ghsa-8fjr-734h-7jj5

Vulnerability from github

fkie_cve-2024-8000

Vulnerability from fkie_nvd

wid-sec-w-2025-0074

Vulnerability from csaf_certbund

Tags

Sightings

Nomenclature