On affected platforms running Arista EOS with 802.1X configured, certain conditions may occur where a dynamic ACL is received from the AAA server resulting in only the first line of the ACL being installed after an Accelerated Software Upgrade (ASU) restart.

Note: supplicants with pending captive-portal authentication during ASU would be impacted with this bug.

Metrics

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00047.

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

No data.

No data.

No data.

No data.

Advisories
Source ID Title
EUVD EUVD EUVD-2024-54121 On affected platforms running Arista EOS with 802.1X configured, certain conditions may occur where a dynamic ACL is received from the AAA server resulting in only the first line of the ACL being installed after an Accelerated Software Upgrade (ASU) restart. Note: supplicants with pending captive-portal authentication during ASU would be impacted with this bug.
Fixes

Solution

The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades .   CVE-2024-8000 has been fixed in the following releases: * 4.33.0M and above * 4.32.5M and above releases in the 4.32.x train * 4.31.6M and above releases in the 4.31.x train * 4.30.9M and above releases in the 4.30.x train

Workaround

The workaround is to re-authenticate each supplicant. This can be done by running the command “dot1x re-authenticate” on the interface post ASU. Alternatively, if the reauthentication timer is enabled, the ACL will be correctly reprogrammed once the timer has expired and re-authentication occurs. switch(Ethernet 1)#dot1x re-authenticate   Alternatively, flapping the interface will trigger reauthentication of the supplicants and correct the ACL which is installed for each mac on that interface. switch(Ethernet 1)#shut switch(Ethernet 1)#no shut   In both cases mentioned, we can verify that reauth has been triggered by checking the output of `show logging` to show the supplicant has been successfully authenticated and `show ip access-lists` to verify the ACL is installed correctly. switch(Ethernet 1)#show logging Aug 24 07:12:05 switch Dot1x: DOT1X-6-SUPPLICANT_AUTHENTICATED: Supplicant with identity 00:01:02:03:04:05, MAC 0001.0203.0405 and dynamic VLAN None successfully authenticated on port Ethernet1. switch#show ip access-lists Phone ACL bypass: disabled IP Access List 802.1x-3212953518000 [dynamic]         10 deny ip 10.1.0.0/16 20.1.0.0/16    20 permit ip from 11.0.0.0/8 to 12.0.0.0/8         30 permit tcp any any eq 80         40 permit tcp any any eq 443         50 deny ip host 192.168.1.100         Total rules configured: 5 switch#show dot1x hosts mac 0001.203.0405 detail | json {     "supplicantMac": "00:01:02:03:04:05",     "identity": "user3",     "interface": "Ethernet3/47",     "authMethod": "EAPOL",     "authStage": "SUCCESS",     "fallback": "NONE",     "callingStationId": "00:01:02:03:04:05",     "reauthBehavior": "DO-NOT-RE-AUTH",     "reauthInterval": 0,     "cacheConfTime": 0,     "vlanId": "202",     "accountingSessionId": "",     "captivePortal": "",     "captivePortalSource": "",     "aristaWebAuth": "",     "supplicantClass": "",     "filterId": "",     "framedIpAddress": "0.0.0.0",     "framedIpAddrSource": "sourceNone",     "nasFilterRules": [         "deny in ip from 10.1.0.0/16 to 20.1.0.0/16",         "permit in ip from 11.0.0.0/8 to 12.0.0.0/8",         "permit tcp any any eq 80",         "permit tcp any any eq 443",         “deny ip host 192.168.1.100"     ],     "sessionTimeout": 0,     "terminationAction": "",     "tunnelPrivateGroupId": "",     "aristaPeriodicIdentity": "",     "cachedAuthAtLinkDown": false,     "reauthTimeoutSeen": false,     "sessionCached": false,     "detail_": true } In the above example the supplicant has been re-authenticated and the nasFilterRules shows 5 rules, as before.

References
Link Providers
https://www.arista.com/en/support/advisories-notices/security-advisory/21086-security-advisory-0109 cve-icon cve-icon
History

Tue, 04 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Mar 2025 20:30:00 +0000

Type Values Removed Values Added
Description On affected platforms running Arista EOS with 802.1X configured, certain conditions may occur where a dynamic ACL is received from the AAA server resulting in only the first line of the ACL being installed after an Accelerated Software Upgrade (ASU) restart. Note: supplicants with pending captive-portal authentication during ASU would be impacted with this bug.
Title On affected platforms running Arista EOS with 802.1X configured, certain conditions may occur where a dynamic ACL is received from the AAA server resulting in only the first line of the ACL being installed after an Accelerated Software Upgrade (ASU) restar
Weaknesses CWE-1284
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N'}
cve-icon MITRE

Status: PUBLISHED

Assigner: Arista

Published:

Updated: 2025-03-04T20:33:37.805Z

Reserved: 2024-08-19T23:25:41.372Z

Link: CVE-2024-8000

cve-icon Vulnrichment

Updated: 2025-03-04T20:33:31.194Z

cve-icon NVD

Status : Received

Published: 2025-03-04T21:15:12.220

Modified: 2025-03-04T21:15:12.220

Link: CVE-2024-8000

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.