Description
On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface—is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic. This issue has been reported as being exploited in the wild.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
Confidentiality (Vulnerable System)
None
Integrity (Vulnerable System)
Low
Availability (Vulnerable System)
None
Confidentiality (Subsequent System)
None
Integrity (Subsequent System)
Low
Availability (Subsequent System)
None
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None
Affected products
- Arista Networks / EOS4.36.0 – 4.36.0
- Arista Networks / EOS4.35.0 – 4.35
- Arista Networks / EOS4.34.0 – 4.34
- Arista Networks / EOS4.33.0 – 4.33
- Arista Networks / EOS4.32.0 – 4.32
- Arista Networks / EOS4.31.0 – 4.31
- Arista Networks / EOS4.30