Security Advisory 0111 PDF

Date: February 25, 2025

Revision Date Changes
1.0 February 25, 2025 Initial release

The CVE-ID tracking this issue: CVE-2025-1259
CVSSv3.1 Base Score: 7.7 (CVSS:3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
Common Weakness Enumeration: CWE-284: Improper Access Control
This vulnerability is being tracked by BUG 1015822

The CVE-ID tracking this issue: CVE-2025-1260
CVSSv3.1 Base Score: 9.1 (CVSS:3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
Common Weakness Enumeration: CWE-284: Improper Access Control
This vulnerability is being tracked by BUG 1015821

Description

For both CVE-2025-1259 and CVE-2025-1260, on affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected.

CVE-2025-1259 can result in users retrieving data that should not have been available.

CVE-2025-1260 can result in unexpected configuration/operations being applied to the switch.

These issues were discovered internally, and Arista is unaware of any malicious uses of these issues in customer networks. These are similar types of authorization issues and are being released together due to their similarity.

Vulnerability Assessment

Affected Software

EOS Versions
  • 4.33.1 and below releases in the 4.33.x train
  • 4.32.3 and below releases in the 4.32.x train
  • 4.31.5 and below releases in the 4.31.x train
  • 4.30.8 and below releases in the 4.30.x train
  • 4.29.9 and below releases in the 4.29.x train
  • 4.28.12 and below releases in the 4.28.x train

Affected Platforms

The following products are affected by this vulnerability:

 

  • Arista EOS-based products:
    • 710 Series
    • 720D Series
    • 720XP/722XPM Series
    • 750X Series
    • 7010 Series
    • 7010X Series
    • 7020R Series
    • 7130 Series running EOS
    • 7150 Series
    • 7160 Series
    • 7170 Series
    • 7050X/X2/X3/X4 Series
    • 7060X/X2/X4/X5/X6 Series
    • 7250X Series
    • 7260X/X3 Series
    • 7280E/R/R2/R3 Series
    • 7300X/X3 Series
    • 7320X Series
    • 7358X4 Series
    • 7368X4 Series
    • 7388X5 Series
    • 7500E/R/R2/R3 Series
    • 7800R3/R4 Series
    • 7700R4 Series
    • AWE 5000 and AWE 7200R Series
    • CloudEOS
    • cEOS-lab
    • vEOS-lab

The following product versions and platforms are not affected by this vulnerability:

  • CloudVision CUE, virtual appliance or physical appliance
  • CloudVision CUE cloud service delivery
  • CloudVision eXchange, virtual or physical appliance
  • CloudVision Portal, virtual appliance or physical appliance
  • CloudVision as-a-Service
  • CloudVision AGNI
  • Arista 7130 Systems running MOS
  • Arista Converged Cloud Fabric and DANZ Monitoring Fabric (Formerly Big Switch Nodes for BCF and BMF)
  • Arista Network Detection and Response (NDR) Security Platform (Formerly Awake NDR)
  • Arista Edge Threat Management - Arista NG Firewall and Arista Micro Edge (Formerly Untangle)
  • Arista NetVisor OS, Arista NetVisor UNUM, and Insight Analytics (Formerly Pluribus)
  • Arista Wireless Access Points

Required Configuration for Exploitation

To be vulnerable to CVE-2025-1259 and CVE-2025-1260 the only condition is that OpenConfig must be enabled with a gNOI server.

switch(config-gnmi-transport-default)#show management api gnmi
Transport: default
Enabled: yes
Server: running on port 6030, in default VRF
SSL profile: none
QoS DSCP: none
Authorization required: no
Accounting requests: no
Notification timestamp: last change time
Listen addresses: ::
Authentication username priority: x509-spiffe, metadata, x509-common-name
 

If OpenConfig is not configured or OpenConfig is configured with no gNOI server, then there is no exposure to this issue and the message will look like.

switch(config)#show management api gnmi 
Enabled: no transports enabled

Indicators of Compromise

No indicators of compromise exist.

Mitigation

EOS 4.31.0F and later releases

For releases with gNSI Authz (EOS 4.31.0F and later releases), the gNOI RPC’s can be blocked using gNSI Authz.

First enable gNSI Authz service by adding the following config:

 

switch(config)#management api gnsi
switch(config-mgmt-api-gnsi)#service authz
(config-mgmt-api-gnsi)#transport gnmi [NAME]
 

Where [NAME] is the name of the running gNMI transport which gNSI will run on. Adding this config will cause the named gNMI transport to reload.

Next update the authz policy to block access to the TransferToRemote RPC. This can be done directly on the system by updating the Authz policy file and waiting at least 10 seconds for OpenConfig to reload the changes. Note this will replace any existing authz policies located at /persist/sys/gnsi/authz/policy.json

For CVE-2025-1259 the following CLI command (highlighted in yellow following the switch prompt) can be run which will disable all gNOI Get RPC’s.

switch#bash timeout 100 echo "{\"name\":\"block gNOI GET RPC's policy\",\"allow_rules\":[{\"name\":\"allow_all\"}],\"deny_rules\":[{\"name\":\"no-gnoi-get\",\"request\":{\"paths\":[\"/gnoi.packet_link_qualification.LinkQualification/List\",\"/gnoi.certificate.CertificateManagement/GetCertificates\",\"/gnoi.os.OS/Verify\",\"/gnoi.healthz.Healthz/Get\",\"/gnoi.healthz.Healthz/List\",\"/gnoi.system.System/RebootStatus\",\"/gnmi.gNMI/Subscribe\",\"/gnoi.file.File/Stat\",\"/gnoi.system.System/Traceroute\",\"/gnoi.packet_link_qualification.LinkQualification/Get\",\"/gnoi.system.System/Ping\",\"/gnoi.file.File/Get\",\"/gnsi.authz.v1.Authz/Probe\",\"/gnsi.credentialz.v1.Credentialz/GetPublicKeys\",\"/gnsi.pathz.v1.Pathz/Probe\",\"/gnoi.healthz.Healthz/Acknowledge\",\"/gnsi.certz.v1.Certz/CanGenerateCSR\",\"/gnmi.gNMI/Get\",\"/gnoi.certificate.CertificateManagement/CanGenerateCSR\",\"/gnoi.healthz.Healthz/Artifact\",\"/gnsi.authz.v1.Authz/Get\",\"/gnoi.system.System/Time\",\"/gnsi.pathz.v1.Pathz/Get\",\"/gnoi.packet_link_qualification.LinkQualification/Capabilities\",\"/gnsi.acctz.v1.AcctzStream/RecordSubscribe\",\"/gnsi.credentialz.v1.Credentialz/CanGenerateKey\",\"/gnoi.healthz.Healthz/Check\",\"/gnsi.certz.v1.Certz/GetProfileList\"]}}]}" | sudo tee /persist/sys/gnsi/authz/policy.json && sleep 11
 

For CVE-2025-1260 the following CLI command (highlighted in yellow following the switch prompt) can be run which will disable all gNOI Set RPC’s.

switch#bash timeout 100 echo "{\"name\":\"block gNOI SET RPC's policy\",\"allow_rules\":[{\"name\":\"allow_all\"}],\"deny_rules\":[{\"name\":\"no-gnoi-set\",\"request\":{\"paths\":[\"/gnoi.certificate.CertificateManagement/RevokeCertificates\",\"/gnoi.os.OS/Activate\",\"/gnoi.certificate.CertificateManagement/LoadCertificateAuthorityBundle\",\"/gnoi.packet_link_qualification.LinkQualification/Create\",\"/gnoi.system.System/Reboot\",\"/gnsi.certz.v1.Certz/Rotate\",\"/gnoi.system.System/SwitchControlProcessor\",\"/gnoi.packet_link_qualification.LinkQualification/Delete\",\"/gnsi.certz.v1.Certz/DeleteProfile\",\"/gsii.v1.gSII/Modify\",\"/gnoi.file.File/Put\",\"/gnoi.system.System/SetPackage\",\"/gnsi.pathz.v1.Pathz/Rotate\",\"/gnmi.gNMI/Set\",\"/gnoi.system.System/CancelReboot\",\"/gnoi.system.System/KillProcess\",\"/gnoi.file.File/TransferToRemote\",\"/gnoi.os.OS/Install\",\"/gnsi.authz.v1.Authz/Rotate\",\"/gnoi.factory_reset.FactoryReset/Start\",\"/gnsi.certz.v1.Certz/AddProfile\",\"/gnsi.credentialz.v1.Credentialz/RotateAccountCredentials\",\"/gnsi.credentialz.v1.Credentialz/RotateHostParameters\",\"/gnoi.certificate.CertificateManagement/Rotate\",\"/gnoi.certificate.CertificateManagement/Install\",\"/gnoi.certificate.CertificateManagement/LoadCertificate\",\"/gnoi.certificate.CertificateManagement/GenerateCSR\",\"/gnoi.file.File/Remove\"]}}]}" | sudo tee /persist/sys/gnsi/authz/policy.json && sleep 11
 

To resolve both CVE’s the following CLI command can be ran which will disable all gNOI RPC’s.

switch#bash timeout 100 echo "{\"name\":\"block gNOI RPCs policy\",\"allow_rules\":[{\"name\":\"allow_all\"}],\"deny_rules\":[{\"name\":\"no-one-can-use-any-gnoi\",\"request\":{\"paths\":[\"/gnoi.*\"]}}]}" | sudo tee /persist/sys/gnsi/authz/policy.json && sleep 11

All releases

For CVE-2025-1260 the workaround is to disable gNOI Set requests. This can be done by applying per RPC authorization and ensuring no user can run the OpenConfig.Set command.

For CVE-2025-1259 the workaround is to disable gNOI Get requests. This can be done by applying per RPC authorization and ensuring no user can run the OpenConfig.Get command.

 

Note these commands will also disable read/write gNMI RPC’s respectively.

switch(config-gnmi-transport-default)#show management api gnmi
   transport grpc default
      authorization requests
 

Alternatively for both, the OpenConfig agent can be disabled.

switch(config-gnmi-transport-default)#no management api gnmi

Resolution

The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades

CVE-2025-1259 and CVE-2025-1260 are fixed in the following releases:

  • 4.33.2 and later releases in the 4.33.x train
  • 4.32.4 and later releases in the 4.32.x train
  • 4.31.6 and later releases in the 4.31.x train
  • 4.30.9 and later releases in the 4.30.x train
  • 4.29.10 and later releases in the 4.29.x train
  • 4.28.13 and later releases in the 4.28.x train

Hotfix

The following hotfix can be applied to remediate CVE-2025-1259 and CVE-2025-1260. The hotfix only applies to the releases listed below and no other releases.

Note: Installing/uninstalling the SWIX will cause the OpenConfig/Octa process to restart. Services may be unavailable for up to one minute.

 
EOS Versions 4.33.1
EOS Versions 4.32.3
EOS Versions 4.31.5
EOS Versions 4.30.8
EOS Versions 4.29.9
EOS Versions 4.28.12

For instructions on installation and verification of the hotfix patch, refer to the “managing eos extensions” section in the EOS User Manual. Ensure that the patch is made persistent across reboots by running the command ‘copy installed-extensions boot-extensions’.

For More Information

If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:

Open a Service Request

Contact information needed to open a new service request may be found at:

https://www.arista.com/en/support/customer-support