CVE-2021-28509 — MEDIUM (6.1)

Q: How severe is CVE-2021-28509?

CVE-2021-28509 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-28509?

Check the references section above for vendor advisories and patch information. Affected products include: Arista Terminattr, Arista Eos, Arista Ccs-722Xpm-48Y4, Arista Ccs-722Xpm-48Zy8, Arista 7050Cx3-32S.

Vulnerability Description

This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols. The impact of this vulnerability is that, in certain conditions, TerminAttr might leak MACsec sensitive data in clear text in CVP to other authorized users, which could cause MACsec traffic to be decrypted or modified by other authorized users on the device.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Arista	Terminattr	< 1.10.11
Arista	Eos	>= 4.23, <= 4.23.11
Arista	Ccs-722Xpm-48Y4	-
Arista	Ccs-722Xpm-48Zy8	-
Arista	7050Cx3-32S	-
Arista	7050Cx3M-32S	-
Arista	7050Sx3-48C8	-
Arista	7050Sx3-48Yc	-
Arista	7050Sx3-48Yc12	-
Arista	7050Sx3-48Yc8	-
Arista	7050Sx3-96Yc8	-
Arista	7050Tx3-48C8	-
Arista	Dcs-7050Cx3-32S	-
Arista	Dcs-7050Cx3-32S-R	-
Arista	Dcs-7050Cx3M-32S	-
Arista	Dcs-7050Sx3-48C8	-
Arista	Dcs-7050Sx3-48Yc12	-
Arista	Dcs-7050Sx3-48Yc8	-
Arista	Dcs-7050Sx3-96Yc8	-
Arista	7280Cr2Ak-30	-

Related Weaknesses (CWE)

CWE-255 CWE-319

References

https://www.arista.com/en/support/advisories-notices/security-advisories/15484-sExploitVendor Advisory
https://www.arista.com/en/support/advisories-notices/security-advisories/15484-sExploitVendor Advisory

FAQ

What is CVE-2021-28509?

CVE-2021-28509 is a vulnerability with a CVSS score of 6.1 (MEDIUM). This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols. The impact of this vulnerability is...

How severe is CVE-2021-28509?

CVE-2021-28509 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-28509?

Check the references section above for vendor advisories and patch information. Affected products include: Arista Terminattr, Arista Eos, Arista Ccs-722Xpm-48Y4, Arista Ccs-722Xpm-48Zy8, Arista 7050Cx3-32S.