{ "document": { "category": "security_advisory", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en-US", "publisher": { "category": "vendor", "contact_details": "support@arista.com", "name": "Arista PSIRT", "namespace": "https://www.arista.com" }, "references": [ { "category": "self", "summary": "Security advisory 111 canonical URL", "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/21098-security-advisory-0111" } ], "title": "Security Advisory 111", "tracking": { "current_release_date": "2025-05-07T19:55:45Z", "generator": { "engine": { "name": "Arista Networks SecEng Service CSAF Generator" } }, "id": "Arista Networks Security Advisory 111", "initial_release_date": "2025-05-07T19:55:45Z", "revision_history": [ { "date": "2025-05-07T19:55:45Z", "number": "1", "summary": "Document created" } ], "status": "draft", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "EOS version 4.30.9", "product": { "name": "EOS version 4.30.9", "product_id": "CSAFPID-8" } }, { "category": "product_version", "name": "EOS version 4.28.6.4", "product": { "name": "EOS version 4.28.6.4", "product_id": "CSAFPID-7" } }, { "category": "product_version", "name": "EOS version 4.31.6", "product": { "name": "EOS version 4.31.6", "product_id": "CSAFPID-2" } }, { "category": "product_version", "name": "EOS version 4.33.2", "product": { "name": "EOS version 4.33.2", "product_id": "CSAFPID-0" } }, { "category": "product_version", "name": "EOS version 4.33.1FX-wbb", "product": { "name": "EOS version 4.33.1FX-wbb", "product_id": "CSAFPID-6" } }, { "category": "product_version", "name": "EOS version 4.32.4", "product": { "name": "EOS version 4.32.4", "product_id": "CSAFPID-1" } }, { "category": "product_version", "name": "EOS version 4.28.13", "product": { "name": "EOS version 4.28.13", "product_id": "CSAFPID-4" } }, { "category": "product_version", "name": "EOS version 4.23.0", "product": { "name": "EOS version 4.23.0", "product_id": "CSAFPID-3" } }, { "category": "product_version", "name": "EOS version 4.24.1", "product": { "name": "EOS version 4.24.1", "product_id": "CSAFPID-9" } }, { "category": "product_version", "name": "EOS version 4.29.10", "product": { "name": "EOS version 4.29.10", "product_id": "CSAFPID-5" } } ], "category": "product_name", "name": "EOS" } ], "category": "product_family", "name": "Software Products" } ], "category": "vendor", "name": "Arista Networks, Inc." } ] }, "vulnerabilities": [ { "cve": "CVE-2025-1259", "id": { "system_name": "Arista Bug ID", "text": "1015822" }, "notes": [ { "category": "description", "text": "On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This can result in users retrieving data that should not have been available.", "title": "CVE Description" }, { "category": "other", "text": "To be vulnerable to CVE-2025-1259 and CVE-2025-1260 the only condition is that OpenConfig must be enabled with a gNOI server.\n\nswitch(config-gnmi-transport-default)#show management api gnmi\nTransport: default\nEnabled: yes\nServer: running on port 6030, in default VRF\nSSL profile: none\nQoS DSCP: none\nAuthorization required: no\nAccounting requests: no\nNotification timestamp: last change time\nListen addresses: ::\nAuthentication username priority: x509-spiffe, metadata, x509-common-name\n \nIf OpenConfig is not configured or OpenConfig is configured with no gNOI server, then there is no exposure to this issue and the message will look like.\n\nswitch(config)#show management api gnmi \nEnabled: no transports enabled", "title": "1015822: Required Config for Exploitation" } ], "product_status": { "first_affected": [ "CSAFPID-3" ], "fixed": [ "CSAFPID-0", "CSAFPID-1", "CSAFPID-2", "CSAFPID-4", "CSAFPID-5", "CSAFPID-6", "CSAFPID-7", "CSAFPID-8" ] }, "references": [ { "category": "external", "summary": "MITRE", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1259" } ], "remediations": [ { "category": "vendor_fix", "details": "Fixed in EOS version 4.28.13", "product_ids": [ "CSAFPID-4" ] }, { "category": "vendor_fix", "details": "Fixed in EOS version 4.28.6.4", "product_ids": [ "CSAFPID-7" ] }, { "category": "vendor_fix", "details": "Fixed in EOS version 4.29.10", "product_ids": [ "CSAFPID-5" ] }, { "category": "vendor_fix", "details": "Fixed in EOS version 4.30.9", "product_ids": [ "CSAFPID-8" ] }, { "category": "vendor_fix", "details": "Fixed in EOS version 4.31.6", "product_ids": [ "CSAFPID-2" ] }, { "category": "vendor_fix", "details": "Fixed in EOS version 4.32.4", "product_ids": [ "CSAFPID-1" ] }, { "category": "vendor_fix", "details": "Fixed in EOS version 4.33.1FX-wbb", "product_ids": [ "CSAFPID-6" ] }, { "category": "vendor_fix", "details": "Fixed in EOS version 4.33.2", "product_ids": [ "CSAFPID-0" ] }, { "category": "none_available", "details": "Not fixed in EOS version 4.23.0", "product_ids": [ "CSAFPID-3" ] }, { "category": "mitigation", "details": "For releases with gNSI Authz (EOS 4.31.0F and later releases), the gNOI RPC’s can be blocked using gNSI Authz.\n\nFirst enable gNSI Authz service by adding the following config:\n\nswitch(config)#management api gnsi\nswitch(config-mgmt-api-gnsi)#service authz\n(config-mgmt-api-gnsi)#transport gnmi [NAME]\n \nWhere [NAME] is the name of the running gNMI transport which gNSI will run on. Adding this config will cause the named gNMI transport to reload.\n\nNext update the authz policy to block access to the TransferToRemote RPC. This can be done directly on the system by updating the Authz policy file and waiting at least 10 seconds for OpenConfig to reload the changes. Note this will replace any existing authz policies located at /persist/sys/gnsi/authz/policy.json\n\nFor CVE-2025-1259 the following CLI command (highlighted in yellow following the switch prompt) can be run which will disable all gNOI Get RPC’s.\n\nswitch#bash timeout 100 echo \"{\\\"name\\\":\\\"block gNOI GET RPC's policy\\\",\\\"allow_rules\\\":[{\\\"name\\\":\\\"allow_all\\\"}],\\\"deny_rules\\\":[{\\\"name\\\":\\\"no-gnoi-get\\\",\\\"request\\\":{\\\"paths\\\":[\\\"/gnoi.packet_link_qualification.LinkQualification/List\\\",\\\"/gnoi.certificate.CertificateManagement/GetCertificates\\\",\\\"/gnoi.os.OS/Verify\\\",\\\"/gnoi.healthz.Healthz/Get\\\",\\\"/gnoi.healthz.Healthz/List\\\",\\\"/gnoi.system.System/RebootStatus\\\",\\\"/gnmi.gNMI/Subscribe\\\",\\\"/gnoi.file.File/Stat\\\",\\\"/gnoi.system.System/Traceroute\\\",\\\"/gnoi.packet_link_qualification.LinkQualification/Get\\\",\\\"/gnoi.system.System/Ping\\\",\\\"/gnoi.file.File/Get\\\",\\\"/gnsi.authz.v1.Authz/Probe\\\",\\\"/gnsi.credentialz.v1.Credentialz/GetPublicKeys\\\",\\\"/gnsi.pathz.v1.Pathz/Probe\\\",\\\"/gnoi.healthz.Healthz/Acknowledge\\\",\\\"/gnsi.certz.v1.Certz/CanGenerateCSR\\\",\\\"/gnmi.gNMI/Get\\\",\\\"/gnoi.certificate.CertificateManagement/CanGenerateCSR\\\",\\\"/gnoi.healthz.Healthz/Artifact\\\",\\\"/gnsi.authz.v1.Authz/Get\\\",\\\"/gnoi.system.System/Time\\\",\\\"/gnsi.pathz.v1.Pathz/Get\\\",\\\"/gnoi.packet_link_qualification.LinkQualification/Capabilities\\\",\\\"/gnsi.acctz.v1.AcctzStream/RecordSubscribe\\\",\\\"/gnsi.credentialz.v1.Credentialz/CanGenerateKey\\\",\\\"/gnoi.healthz.Healthz/Check\\\",\\\"/gnsi.certz.v1.Certz/GetProfileList\\\"]}}]}\" | sudo tee /persist/sys/gnsi/authz/policy.json && sleep 11\n \nFor CVE-2025-1260 the following CLI command (highlighted in yellow following the switch prompt) can be run which will disable all gNOI Set RPC’s.\n\nswitch#bash timeout 100 echo \"{\\\"name\\\":\\\"block gNOI SET RPC's policy\\\",\\\"allow_rules\\\":[{\\\"name\\\":\\\"allow_all\\\"}],\\\"deny_rules\\\":[{\\\"name\\\":\\\"no-gnoi-set\\\",\\\"request\\\":{\\\"paths\\\":[\\\"/gnoi.certificate.CertificateManagement/RevokeCertificates\\\",\\\"/gnoi.os.OS/Activate\\\",\\\"/gnoi.certificate.CertificateManagement/LoadCertificateAuthorityBundle\\\",\\\"/gnoi.packet_link_qualification.LinkQualification/Create\\\",\\\"/gnoi.system.System/Reboot\\\",\\\"/gnsi.certz.v1.Certz/Rotate\\\",\\\"/gnoi.system.System/SwitchControlProcessor\\\",\\\"/gnoi.packet_link_qualification.LinkQualification/Delete\\\",\\\"/gnsi.certz.v1.Certz/DeleteProfile\\\",\\\"/gsii.v1.gSII/Modify\\\",\\\"/gnoi.file.File/Put\\\",\\\"/gnoi.system.System/SetPackage\\\",\\\"/gnsi.pathz.v1.Pathz/Rotate\\\",\\\"/gnmi.gNMI/Set\\\",\\\"/gnoi.system.System/CancelReboot\\\",\\\"/gnoi.system.System/KillProcess\\\",\\\"/gnoi.file.File/TransferToRemote\\\",\\\"/gnoi.os.OS/Install\\\",\\\"/gnsi.authz.v1.Authz/Rotate\\\",\\\"/gnoi.factory_reset.FactoryReset/Start\\\",\\\"/gnsi.certz.v1.Certz/AddProfile\\\",\\\"/gnsi.credentialz.v1.Credentialz/RotateAccountCredentials\\\",\\\"/gnsi.credentialz.v1.Credentialz/RotateHostParameters\\\",\\\"/gnoi.certificate.CertificateManagement/Rotate\\\",\\\"/gnoi.certificate.CertificateManagement/Install\\\",\\\"/gnoi.certificate.CertificateManagement/LoadCertificate\\\",\\\"/gnoi.certificate.CertificateManagement/GenerateCSR\\\",\\\"/gnoi.file.File/Remove\\\"]}}]}\" | sudo tee /persist/sys/gnsi/authz/policy.json && sleep 11\n \nTo resolve both CVE’s the following CLI command can be ran which will disable all gNOI RPC’s.\n\nswitch#bash timeout 100 echo \"{\\\"name\\\":\\\"block gNOI RPCs policy\\\",\\\"allow_rules\\\":[{\\\"name\\\":\\\"allow_all\\\"}],\\\"deny_rules\\\":[{\\\"name\\\":\\\"no-one-can-use-any-gnoi\\\",\\\"request\\\":{\\\"paths\\\":[\\\"/gnoi.*\\\"]}}]}\" | sudo tee /persist/sys/gnsi/authz/policy.json && sleep 11" } ], "scores": [ { "cvss_v3": { "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" }, "products": [ "CSAFPID-6", "CSAFPID-3", "CSAFPID-1", "CSAFPID-0", "CSAFPID-5", "CSAFPID-7", "CSAFPID-4", "CSAFPID-8", "CSAFPID-2" ] } ], "title": "CVE-2025-1259" }, { "cve": "CVE-2025-1260", "id": { "system_name": "Arista Bug ID", "text": "1015821" }, "notes": [ { "category": "description", "text": "On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This can result in unexpected configuration/operations being applied to the switch.\n", "title": "CVE Description" }, { "category": "other", "text": "To be vulnerable to CVE-2025-1259 and CVE-2025-1260 the only condition is that OpenConfig must be enabled with a gNOI server.\n\nswitch(config-gnmi-transport-default)#show management api gnmi\nTransport: default\nEnabled: yes\nServer: running on port 6030, in default VRF\nSSL profile: none\nQoS DSCP: none\nAuthorization required: no\nAccounting requests: no\nNotification timestamp: last change time\nListen addresses: ::\nAuthentication username priority: x509-spiffe, metadata, x509-common-name\n \nIf OpenConfig is not configured or OpenConfig is configured with no gNOI server, then there is no exposure to this issue and the message will look like.\n\nswitch(config)#show management api gnmi \nEnabled: no transports enabled", "title": "1015821: Required Config for Exploitation" } ], "product_status": { "first_affected": [ "CSAFPID-9" ], "fixed": [ "CSAFPID-0", "CSAFPID-1", "CSAFPID-2", "CSAFPID-4", "CSAFPID-5", "CSAFPID-6", "CSAFPID-7", "CSAFPID-8" ] }, "references": [ { "category": "external", "summary": "MITRE", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1260" } ], "remediations": [ { "category": "vendor_fix", "details": "Fixed in EOS version 4.28.13", "product_ids": [ "CSAFPID-4" ] }, { "category": "vendor_fix", "details": "Fixed in EOS version 4.28.6.4", "product_ids": [ "CSAFPID-7" ] }, { "category": "vendor_fix", "details": "Fixed in EOS version 4.29.10", "product_ids": [ "CSAFPID-5" ] }, { "category": "vendor_fix", "details": "Fixed in EOS version 4.30.9", "product_ids": [ "CSAFPID-8" ] }, { "category": "vendor_fix", "details": "Fixed in EOS version 4.31.6", "product_ids": [ "CSAFPID-2" ] }, { "category": "vendor_fix", "details": "Fixed in EOS version 4.32.4", "product_ids": [ "CSAFPID-1" ] }, { "category": "vendor_fix", "details": "Fixed in EOS version 4.33.1FX-wbb", "product_ids": [ "CSAFPID-6" ] }, { "category": "vendor_fix", "details": "Fixed in EOS version 4.33.2", "product_ids": [ "CSAFPID-0" ] }, { "category": "none_available", "details": "Not fixed in EOS version 4.24.1", "product_ids": [ "CSAFPID-9" ] }, { "category": "mitigation", "details": "For releases with gNSI Authz (EOS 4.31.0F and later releases), the gNOI RPC’s can be blocked using gNSI Authz.\n\nFirst enable gNSI Authz service by adding the following config:\n\nswitch(config)#management api gnsi\nswitch(config-mgmt-api-gnsi)#service authz\n(config-mgmt-api-gnsi)#transport gnmi [NAME]\n \nWhere [NAME] is the name of the running gNMI transport which gNSI will run on. Adding this config will cause the named gNMI transport to reload.\n\nNext update the authz policy to block access to the TransferToRemote RPC. This can be done directly on the system by updating the Authz policy file and waiting at least 10 seconds for OpenConfig to reload the changes. Note this will replace any existing authz policies located at /persist/sys/gnsi/authz/policy.json\n\nFor CVE-2025-1259 the following CLI command (highlighted in yellow following the switch prompt) can be run which will disable all gNOI Get RPC’s.\n\nswitch#bash timeout 100 echo \"{\\\"name\\\":\\\"block gNOI GET RPC's policy\\\",\\\"allow_rules\\\":[{\\\"name\\\":\\\"allow_all\\\"}],\\\"deny_rules\\\":[{\\\"name\\\":\\\"no-gnoi-get\\\",\\\"request\\\":{\\\"paths\\\":[\\\"/gnoi.packet_link_qualification.LinkQualification/List\\\",\\\"/gnoi.certificate.CertificateManagement/GetCertificates\\\",\\\"/gnoi.os.OS/Verify\\\",\\\"/gnoi.healthz.Healthz/Get\\\",\\\"/gnoi.healthz.Healthz/List\\\",\\\"/gnoi.system.System/RebootStatus\\\",\\\"/gnmi.gNMI/Subscribe\\\",\\\"/gnoi.file.File/Stat\\\",\\\"/gnoi.system.System/Traceroute\\\",\\\"/gnoi.packet_link_qualification.LinkQualification/Get\\\",\\\"/gnoi.system.System/Ping\\\",\\\"/gnoi.file.File/Get\\\",\\\"/gnsi.authz.v1.Authz/Probe\\\",\\\"/gnsi.credentialz.v1.Credentialz/GetPublicKeys\\\",\\\"/gnsi.pathz.v1.Pathz/Probe\\\",\\\"/gnoi.healthz.Healthz/Acknowledge\\\",\\\"/gnsi.certz.v1.Certz/CanGenerateCSR\\\",\\\"/gnmi.gNMI/Get\\\",\\\"/gnoi.certificate.CertificateManagement/CanGenerateCSR\\\",\\\"/gnoi.healthz.Healthz/Artifact\\\",\\\"/gnsi.authz.v1.Authz/Get\\\",\\\"/gnoi.system.System/Time\\\",\\\"/gnsi.pathz.v1.Pathz/Get\\\",\\\"/gnoi.packet_link_qualification.LinkQualification/Capabilities\\\",\\\"/gnsi.acctz.v1.AcctzStream/RecordSubscribe\\\",\\\"/gnsi.credentialz.v1.Credentialz/CanGenerateKey\\\",\\\"/gnoi.healthz.Healthz/Check\\\",\\\"/gnsi.certz.v1.Certz/GetProfileList\\\"]}}]}\" | sudo tee /persist/sys/gnsi/authz/policy.json && sleep 11\n \nFor CVE-2025-1260 the following CLI command (highlighted in yellow following the switch prompt) can be run which will disable all gNOI Set RPC’s.\n\nswitch#bash timeout 100 echo \"{\\\"name\\\":\\\"block gNOI SET RPC's policy\\\",\\\"allow_rules\\\":[{\\\"name\\\":\\\"allow_all\\\"}],\\\"deny_rules\\\":[{\\\"name\\\":\\\"no-gnoi-set\\\",\\\"request\\\":{\\\"paths\\\":[\\\"/gnoi.certificate.CertificateManagement/RevokeCertificates\\\",\\\"/gnoi.os.OS/Activate\\\",\\\"/gnoi.certificate.CertificateManagement/LoadCertificateAuthorityBundle\\\",\\\"/gnoi.packet_link_qualification.LinkQualification/Create\\\",\\\"/gnoi.system.System/Reboot\\\",\\\"/gnsi.certz.v1.Certz/Rotate\\\",\\\"/gnoi.system.System/SwitchControlProcessor\\\",\\\"/gnoi.packet_link_qualification.LinkQualification/Delete\\\",\\\"/gnsi.certz.v1.Certz/DeleteProfile\\\",\\\"/gsii.v1.gSII/Modify\\\",\\\"/gnoi.file.File/Put\\\",\\\"/gnoi.system.System/SetPackage\\\",\\\"/gnsi.pathz.v1.Pathz/Rotate\\\",\\\"/gnmi.gNMI/Set\\\",\\\"/gnoi.system.System/CancelReboot\\\",\\\"/gnoi.system.System/KillProcess\\\",\\\"/gnoi.file.File/TransferToRemote\\\",\\\"/gnoi.os.OS/Install\\\",\\\"/gnsi.authz.v1.Authz/Rotate\\\",\\\"/gnoi.factory_reset.FactoryReset/Start\\\",\\\"/gnsi.certz.v1.Certz/AddProfile\\\",\\\"/gnsi.credentialz.v1.Credentialz/RotateAccountCredentials\\\",\\\"/gnsi.credentialz.v1.Credentialz/RotateHostParameters\\\",\\\"/gnoi.certificate.CertificateManagement/Rotate\\\",\\\"/gnoi.certificate.CertificateManagement/Install\\\",\\\"/gnoi.certificate.CertificateManagement/LoadCertificate\\\",\\\"/gnoi.certificate.CertificateManagement/GenerateCSR\\\",\\\"/gnoi.file.File/Remove\\\"]}}]}\" | sudo tee /persist/sys/gnsi/authz/policy.json && sleep 11\n \nTo resolve both CVE’s the following CLI command can be ran which will disable all gNOI RPC’s.\n\nswitch#bash timeout 100 echo \"{\\\"name\\\":\\\"block gNOI RPCs policy\\\",\\\"allow_rules\\\":[{\\\"name\\\":\\\"allow_all\\\"}],\\\"deny_rules\\\":[{\\\"name\\\":\\\"no-one-can-use-any-gnoi\\\",\\\"request\\\":{\\\"paths\\\":[\\\"/gnoi.*\\\"]}}]}\" | sudo tee /persist/sys/gnsi/authz/policy.json && sleep 11" } ], "scores": [ { "cvss_v3": { "baseScore": 9.1, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CSAFPID-6", "CSAFPID-1", "CSAFPID-0", "CSAFPID-5", "CSAFPID-7", "CSAFPID-4", "CSAFPID-8", "CSAFPID-2", "CSAFPID-9" ] } ], "title": "CVE-2025-1260" } ] }