CVE-2021-28504

Name of the Vulnerable Software and Affected Versions Arista Strata family products (affected versions not specified) Arista EOS (affected versions not specified)

Description The issue affects Arista Strata family products with the "TCAM profile" feature enabled, where a Port IPv4 access-list rule matching the vxlan protocol causes subsequent rules to not match on the IP protocol field as expected. On affected Arista EOS platforms, deny rules are not applied to packets larger than the configured maximum transmission unit (MTU), allowing large packets to be routed by the switch. This issue was discovered internally, and there are no known instances of malicious use in customer networks.

Recommendations For Arista Strata family products, consider disabling the "TCAM profile" feature until a fix is available. For Arista EOS, restrict packet size to the configured MTU to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.