Attackers can change the Arista EOS network operating system configuration
Among other things, the developers of Arista EOS have closed a critical security gap.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Attacks on the Arista EOS network operating system may be imminent. The starting points are two vulnerabilities that have been closed in recent releases. Arista states that there are currently no indications of attacks.
Critical security vulnerability
Various switch models, among others, are at risk. The network supplier lists the vulnerable products and software versions in a warning message. The developers assure that they have closed the two gaps in EOS versions 4.28.13, 4.29.10, 4.30.9, 4.31.6, 4.32.4 and 4.33.2. In both cases, attackers can bypass authentication. The vulnerabilities were discovered internally.
However, devices should only be vulnerable if the OpenConfig management option is active. It is not clear from the warning message whether this setting is activated by default. If the option is active, attackers can initiate attacks with a gNOI request that the system should actually reject. It is not yet known how such an attack could be launched in detail.
The “critical” vulnerability (CVE-2025-1260) enables attackers to manipulate the configuration. If they successfully exploit the second vulnerability (CVE-2025-1259 “high”), they can view data that is actually sealed off.
So far, there is no list of Indicators of Compromise (IoC) for attacks that have already taken place. If admins are unable to install the security update immediately, they should secure network devices using a temporary solution.
Videos by heise
To do this, they must deactivate gNOI set requests or gNOIS get requests, depending on the vulnerability. Alternatively, you can also deactivate the OpenConfig agent. The warning message explains how this works.
(des)
