CVE-2021-28509 MEDIUM

CVE-2021-28509: TerminAttr streams MACsec sensitive data in clear text to other authorized users in CVP

Vendor Arista Networks
Product Arista EOS
Weakness CWE-255
Published May 26, 2022
Last update September 16, 2024

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols. The impact of this vulnerability is that, in certain conditions, TerminAttr might leak MACsec sensitive data in clear text in CVP to other authorized users, which could cause MACsec traffic to be decrypted or modified by other authorized users on the device.

Key dates

02Disclosure timeline

May 26, 2022 CVE published
September 16, 2024 Record updated