Executive Summary
A critical authorization bypass vulnerability (CVE-2024-27890) has been disclosed in Arista EOS affecting platforms with OpenConfig configured. The flaw allows gNMI Set requests that should have been rejected to execute successfully, enabling an attacker with network access to the gNMI interface to apply unexpected or malicious configuration to affected switches.
With a CVSS score of 9.6, this vulnerability poses a severe risk to network infrastructure environments running Arista EOS with telemetry management via OpenConfig.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2024-27890 |
| CVSS Score | 9.6 (Critical) |
| Vendor | Arista Networks |
| Product | EOS (Extensible Operating System) |
| Component | OpenConfig / gNMI interface |
| Type | Authorization Bypass |
| Attack Vector | Network |
| Condition | OpenConfig must be enabled |
Technical Details
gNMI (gRPC Network Management Interface) is a network management protocol used by OpenConfig-enabled devices for streaming telemetry and configuration. In affected versions of Arista EOS, certain gNMI Set operations — which should fail authorization checks and be rejected — are instead executed without the expected validation.
This means an attacker who can reach the gNMI port of an affected switch can push unauthorized configuration changes, potentially:
- Modifying routing tables and BGP policies
- Altering access control lists (ACLs)
- Changing VLAN configurations
- Disabling or reconfiguring monitoring and logging
- Pivoting deeper into the network environment
Attack Flow:
1. Attacker identifies Arista EOS switch with OpenConfig/gNMI enabled
2. Attacker connects to gNMI port (typically TCP 6030)
3. Attacker sends crafted gNMI Set request that should be rejected
4. EOS processes the request due to missing authorization check
5. Switch applies attacker-controlled configuration
6. Network behavior altered — routing, ACLs, monitoring impactedAffected Versions
Consult the official Arista Security Advisory for the full list of affected EOS versions. This vulnerability affects platforms running EOS with the OpenConfig feature enabled.
Impact
| Area | Impact |
|---|---|
| Network Infrastructure | Unauthorized configuration of core network switches |
| Routing Integrity | BGP, OSPF, or static route manipulation |
| Security Controls | ACL and firewall policy override |
| Monitoring | Logging and telemetry configuration altered |
| Confidentiality | Traffic redirection enabling man-in-the-middle attacks |
| Availability | Misconfiguration causing network outages |
Remediation
Step 1: Apply Arista EOS Patch
Upgrade to the fixed EOS version as specified in the Arista Security Advisory for CVE-2024-27890.
Step 2: Restrict gNMI Port Access
If OpenConfig is required, apply strict network-level access controls to the gNMI port:
# Example — restrict gNMI access to authorized management hosts only
# On Arista EOS:
ip access-list GNMI-ALLOW
permit tcp 192.168.100.0/24 any eq 6030
!
management api gnmi
transport grpc default
ip access-group GNMI-ALLOW in
!Step 3: Disable OpenConfig If Not Required
# On Arista EOS — disable OpenConfig if not actively used
no management api gnmiStep 4: Audit Recent gNMI Activity
Review gNMI audit logs and switch configuration history for unauthorized changes:
# Check EOS configuration change history
show archive log all | grep "gNMI"
# Review running config against known-good baseline
show running-config | diff - /mnt/flash/baseline-config.txtDetection Indicators
| Indicator | Description |
|---|---|
| Unexpected configuration changes | Authorization-bypassed gNMI Set operations |
| gNMI connections from non-management IPs | Unauthorized management access |
| Routing anomalies | BGP/OSPF table changes from gNMI |
| Missing or altered ACL entries | Security policy modification |
References
- NIST NVD — CVE-2024-27890
- Arista Security Advisory for CVE-2024-27890 (consult Arista support portal)