{ "document": { "category": "security_advisory", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en-US", "publisher": { "category": "vendor", "contact_details": "support@arista.com", "name": "Arista PSIRT", "namespace": "https://www.arista.com" }, "references": [ { "category": "self", "summary": "Security advisory 117 canonical URL", "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/21394-security-advisory-0117" } ], "title": "Security Advisory 117", "tracking": { "current_release_date": "2025-05-07T16:59:53Z", "generator": { "engine": { "name": "Arista Networks SecEng Service CSAF Generator" } }, "id": "Arista Networks Security Advisory 117", "initial_release_date": "2025-05-07T16:59:53Z", "revision_history": [ { "date": "2025-05-07T16:59:53Z", "number": "1", "summary": "Document created" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "EOS version 4.30.10", "product": { "name": "EOS version 4.30.10", "product_id": "CSAFPID-1" } }, { "category": "product_version", "name": "EOS version 4.33.2", "product": { "name": "EOS version 4.33.2", "product_id": "CSAFPID-3" } }, { "category": "product_version", "name": "EOS version 4.31.7", "product": { "name": "EOS version 4.31.7", "product_id": "CSAFPID-4" } }, { "category": "product_version", "name": "EOS version 4.32.5", "product": { "name": "EOS version 4.32.5", "product_id": "CSAFPID-2" } }, { "category": "product_version", "name": "EOS version 4.33.1FX-wbb", "product": { "name": "EOS version 4.33.1FX-wbb", "product_id": "CSAFPID-5" } }, { "category": "product_version", "name": "EOS version 4.30.1", "product": { "name": "EOS version 4.30.1", "product_id": "CSAFPID-0" } } ], "category": "product_name", "name": "EOS" } ], "category": "product_family", "name": "Software Products" } ], "category": "vendor", "name": "Arista Networks, Inc." } ] }, "vulnerabilities": [ { "cve": "CVE-2025-0936", "id": { "system_name": "Arista Bug ID", "text": "1045796" }, "notes": [ { "category": "description", "text": "On affected platforms running Arista EOS with a gNMI transport enabled, running the gNOI File TransferToRemote RPC with credentials for a remote server may cause these remote-server credentials to be logged or accounted on the local EOS device or possibly on other remote accounting servers (i.e. TACACS, RADIUS, etc).", "title": "CVE Description" }, { "category": "other", "text": "In order to be vulnerable to CVE-2025-0936, one or both of the following conditions must be met:\n\nOpenConfig must be enabled with a gNOI server with accounting enabled \nOpenConfig must be enabled with a gNOI server with tracing enabled which includes any of:\nservice/9\ninterceptor/9 \ntransport_socketcli/9 \nIf OpenConfig is enabled with a gNOI server with accounting enabled, this will be shown in the following CLI output:\n\nswitch(config)#show management api gnmi\nTransport: default\nEnabled: yes\nServer: running on port 6030, in default VRF\nSSL profile: none\nQoS DSCP: none\nAuthorization required: no\nAccounting requests: yes\nNotification timestamp: last change time\nListen addresses: ::\nAuthentication username priority: x509-spiffe, metadata, x509-common-name\n \nIf OpenConfig is not configured or OpenConfig is configured with no gNOI server, then there is no exposure to this issue and the message will look like.\n\nswitch(config)#show management api gnmi\nEnabled: no transports enabled\n \nTo see the tracing enabled for OpenConfig, run:\n\nswitch(config)#show running-config section trace | grep OpenConfig\ntrace OpenConfig setting service/9,interceptor/9,transport_socketcli/9\n \nNote: gRPC-based streaming via TerminAttr to CloudVision is not affected by this vulnerability.", "title": "1045796: Required Config for Exploitation" } ], "product_status": { "first_affected": [ "CSAFPID-0" ], "fixed": [ "CSAFPID-1", "CSAFPID-2", "CSAFPID-3", "CSAFPID-4", "CSAFPID-5" ] }, "references": [ { "category": "external", "summary": "MITRE URL", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0936" } ], "remediations": [ { "category": "vendor_fix", "details": "Fixed in EOS version 4.30.10", "product_ids": [ "CSAFPID-1" ] }, { "category": "vendor_fix", "details": "Fixed in EOS version 4.31.7", "product_ids": [ "CSAFPID-4" ] }, { "category": "vendor_fix", "details": "Fixed in EOS version 4.32.5", "product_ids": [ "CSAFPID-2" ] }, { "category": "vendor_fix", "details": "Fixed in EOS version 4.33.1FX-wbb", "product_ids": [ "CSAFPID-5" ] }, { "category": "vendor_fix", "details": "Fixed in EOS version 4.33.2", "product_ids": [ "CSAFPID-3" ] }, { "category": "none_available", "details": "Not fixed in EOS version 4.30.1", "product_ids": [ "CSAFPID-0" ] }, { "category": "mitigation", "details": "There are a number of possible workarounds:\n\nOption 1 - disable accounting/logging for the OpenConfig transport\nFor example to disable accounting for transport named “default”:\n\nswitch(config)#management api gnmi\nswitch(config-mgmt-api-gnmi)#transport grpc default\nswitch(config-gnmi-transport-default)#no accounting requests\n \nto disable logging for the OpenConfig agent, run:\n\nswitch(config)#no trace OpenConfig setting\n \nOption 2 - disable the gNOI File service entirely\nTo disable the gNOI File service, override the OCGNOIFileToggle, then restart OpenConfig to load the changes\n\nswitch#bash timeout 100 echo \"OCGNOIFileToggle=0\" >> /mnt/flash/toggle_override\nswitch#agent OpenConfig terminate \n \nDisabling the gNOI File service will mean that gNOI clients will no longer be able to call any gNOI File RPCs\n\nOption 3 - block the TransferToRemote RPC using gNSI Authz\nFor releases with gNSI Authz (EOS 4.31.0F and later releases), the TransferToRemote RPC can be blocked using gNSI Authz.\n\nFirst enable gNSI Authz service by adding the following config:\n\nswitch(config)#management api gnsi\nswitch(config-mgmt-api-gnsi)#service authz\nWhere [NAME] is the name of the running gNMI transport\n\nAdding this config will cause the named gNMI transport to reload.\n\nNext update the authz policy to block access to the TransferToRemote RPC. This can be done directly on the system by updating the Authz policy file and waiting at least 10 seconds for OpenConfig to reload the changes:\n\nswitch#bash timeout 100 echo \"{\\\"name\\\":\\\"block gNOI TransferToRemote policy\\\",\\\"allow_rules\\\":[{\\\"name\\\":\\\"allow_all\\\"}],\\\"deny_rules\\\":[{\\\"name\\\":\\\"no-one-can-use-gnoi-transfer-to-remote\\\",\\\"request\\\":{\\\"paths\\\":[\\\"/gnoi.file.File/TransferToRemote\\\"]}}]}\" | sudo tee /persist/sys/gnsi/authz/policy.json && sleep 11\n \nThis will cause attempts to run the TransferToRemote RPC to fail with a “PermissionDenied” error code." } ], "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "CSAFPID-4", "CSAFPID-3", "CSAFPID-5", "CSAFPID-0", "CSAFPID-1", "CSAFPID-2" ] } ], "title": "CVE-2025-0936" } ] }