Arista Networks has released a security advisory addressing a critical vulnerability in its EOS (Extensible Operating System) that could lead to the transmission of sensitive information in cleartext. The vulnerability, identified as CVE-2024-12378, carries a CVSS score of 9.1, indicating its severity.
The advisory warns that on affected platforms running Arista EOS with secure Vxlan configured, restarting the Tunnelsec agent will result in packets being sent over the secure Vxlan tunnels in the clear. This means that data intended to be encrypted could be transmitted without encryption, potentially exposing sensitive information to unauthorized access.
The vulnerability affects a range of Arista EOS-based products, specifically within the 7280CR3MK Series.
The following EOS versions are impacted:
4.32.2F and below releases in the 4.32.x train4.31.6M and below releases in the 4.31.x train4.30.8M and below releases in the 4.30.x train4.29.9M and below releases in the 4.29.x train4.28.12M and below releases in the 4.28.x train4.27.12M and below releases in the 4.27.x trainA wide array of Arista EOS-based products are not affected by this vulnerability.
The advisory specifies that for a system to be vulnerable to CVE-2024-12378, secure Vxlan must be configured. The βshow ip security connectionβ output will be empty if Secure Vxlan is not configured.
According to the advisory, an indicator of compromise is when βthe secure Vxlan tunnel will go from Established to Connected state, but packets will be sent and received successfully over the tunnel.β In a normal, encrypted connection, the status is βestablishedβ
Arista has provided a workaround to mitigate the vulnerability. The workaround involves removing and re-applying security profiles for each secure VTEP.
However, Aristaβs recommended resolution is to upgrade to a remediated software version as soon as possible.
The vulnerability is fixed in the following EOS releases:
4.33.0F and later releases in the 4.33.x train4.32.3M and later releases in the 4.32.x train4.31.7M and later releases in the 4.31.x train4.30.9M and later releases in the 4.30.x train4.29.10M and later releases in the 4.29.x trainArista advises customers to upgrade to the latest version of each release that contains the necessary fixes.