CVE-2025-1260 (GCVE-0-2025-1260)
Vulnerability from cvelistv5
Published
2025-03-04 19:49
Modified
2025-03-04 20:41
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE
Summary
On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This issue can result in unexpected configuration/operations being applied to the switch.
References
Impacted products
Vendor Product Version
Arista Networks EOS Version: 4.33.0   <
Version: 4.32.0   <
Version: 4.31.0   <
Version: 4.30.0   <
Version: 4.29.0   <
Version: 4.28.0   <
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-1260",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-04T20:41:36.492094Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-04T20:41:46.732Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "EOS",
          "vendor": "Arista Networks",
          "versions": [
            {
              "lessThanOrEqual": "4.33.1",
              "status": "affected",
              "version": "4.33.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.32.3",
              "status": "affected",
              "version": "4.32.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.31.5",
              "status": "affected",
              "version": "4.31.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.30.8",
              "status": "affected",
              "version": "4.30.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.29.9",
              "status": "affected",
              "version": "4.29.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.28.12",
              "status": "affected",
              "version": "4.28.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eTo be vulnerable to CVE-2025-1259 and CVE-2025-1260 the only condition is that OpenConfig must be enabled with a gNOI server.\u003c/p\u003e\u003cpre\u003eswitch(config-gnmi-transport-default)#show management api gnmi\nTransport: default\nEnabled: \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eyes\u003c/span\u003e\nServer: running on port 6030, in default VRF\nSSL profile: none\nQoS DSCP: none\nAuthorization required: no\nAccounting requests: no\nNotification timestamp: last change time\nListen addresses: ::\nAuthentication username priority: x509-spiffe, metadata, x509-common-name\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIf OpenConfig is not configured or OpenConfig is configured with no gNOI server, then there is no exposure to this issue and the message will look like.\u003c/p\u003e\u003cpre\u003eswitch(config)#show management api gnmi \nEnabled: \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eno transports enabled\u003c/span\u003e\u003c/pre\u003e\u003cbr\u003e"
            }
          ],
          "value": "To be vulnerable to CVE-2025-1259 and CVE-2025-1260 the only condition is that OpenConfig must be enabled with a gNOI server.\n\nswitch(config-gnmi-transport-default)#show management api gnmi\nTransport: default\nEnabled: yes\nServer: running on port 6030, in default VRF\nSSL profile: none\nQoS DSCP: none\nAuthorization required: no\nAccounting requests: no\nNotification timestamp: last change time\nListen addresses: ::\nAuthentication username priority: x509-spiffe, metadata, x509-common-name\n\n\n\u00a0\n\nIf OpenConfig is not configured or OpenConfig is configured with no gNOI server, then there is no exposure to this issue and the message will look like.\n\nswitch(config)#show management api gnmi \nEnabled: no transports enabled"
        }
      ],
      "datePublic": "2025-02-25T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eOn affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This issue\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecan result in unexpected configuration/operations being applied to the switch.\u003c/span\u003e\u003c/span\u003e\u003c/p\u003e"
            }
          ],
          "value": "On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This issue\u00a0can result in unexpected configuration/operations being applied to the switch."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-115",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-115 Authentication Bypass"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-04T19:49:00.278Z",
        "orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
        "shortName": "Arista"
      },
      "references": [
        {
          "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/21098-security-advisory-0111"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cp\u003eCVE-2025-1259 is fixed in the following releases:\u003c/p\u003e\u003cul\u003e\u003cli\u003e4.33.2 and later releases in the 4.33.x train\u003c/li\u003e\u003cli\u003e4.32.4 and later releases in the 4.32.x train\u003c/li\u003e\u003cli\u003e4.31.6 and later releases in the 4.31.x train\u003c/li\u003e\u003cli\u003e4.30.9 and later releases in the 4.30.x train\u003c/li\u003e\u003cli\u003e4.29.10 and later releases in the 4.29.x train\u003c/li\u003e\u003cli\u003e4.28.13 and later releases in the 4.28.x train\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see  EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2025-1259 is fixed in the following releases:\n\n  *  4.33.2 and later releases in the 4.33.x train\n  *  4.32.4 and later releases in the 4.32.x train\n  *  4.31.6 and later releases in the 4.31.x train\n  *  4.30.9 and later releases in the 4.30.x train\n  *  4.29.10 and later releases in the 4.29.x train\n  *  4.28.13 and later releases in the 4.28.x train"
        }
      ],
      "source": {
        "advisory": "SA 111",
        "defect": [
          "1015822"
        ],
        "discovery": "INTERNAL"
      },
      "title": "On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected.",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eFor releases with gNSI Authz (EOS 4.31.0F and later releases), the gNOI RPC\u2019s can be blocked using gNSI Authz.\u003c/p\u003e\u003cp\u003eFirst enable gNSI Authz service by adding the following config:\u003c/p\u003e\u003cpre\u003eswitch(config)#management api gnsi\nswitch(config-mgmt-api-gnsi)#service authz\n(config-mgmt-api-gnsi)#transport gnmi [NAME]\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eWhere [NAME] is the name of the running gNMI transport which gNSI will run on. Adding this config will cause the named gNMI transport to reload.\u003c/p\u003e\u003cp\u003eFor CVE-2025-1260 the following CLI command (highlighted in yellow following the switch prompt) can be run which will disable all gNOI Set RPC\u2019s.\u003c/p\u003e\u003cpre\u003eswitch#\u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003ebash timeout 100 echo \"{\\\"name\\\":\\\"block gNOI SET RPC\u0027s policy\\\",\\\"allow_rules\\\":[{\\\"name\\\":\\\"allow_all\\\"}],\\\"deny_rules\\\":[{\\\"name\\\":\\\"no-gnoi-set\\\",\\\"request\\\":{\\\"paths\\\":[\\\"/gnoi.certificate.CertificateManagement/RevokeCertificates\\\",\\\"/gnoi.os.OS/Activate\\\",\\\"/gnoi.certificate.CertificateManagement/LoadCertificateAuthorityBundle\\\",\\\"/gnoi.packet_link_qualification.LinkQualification/Create\\\",\\\"/gnoi.system.System/Reboot\\\",\\\"/gnsi.certz.v1.Certz/Rotate\\\",\\\"/gnoi.system.System/SwitchControlProcessor\\\",\\\"/gnoi.packet_link_qualification.LinkQualification/Delete\\\",\\\"/gnsi.certz.v1.Certz/DeleteProfile\\\",\\\"/gsii.v1.gSII/Modify\\\",\\\"/gnoi.file.File/Put\\\",\\\"/gnoi.system.System/SetPackage\\\",\\\"/gnsi.pathz.v1.Pathz/Rotate\\\",\\\"/gnmi.gNMI/Set\\\",\\\"/gnoi.system.System/CancelReboot\\\",\\\"/gnoi.system.System/KillProcess\\\",\\\"/gnoi.file.File/TransferToRemote\\\",\\\"/gnoi.os.OS/Install\\\",\\\"/gnsi.authz.v1.Authz/Rotate\\\",\\\"/gnoi.factory_reset.FactoryReset/Start\\\",\\\"/gnsi.certz.v1.Certz/AddProfile\\\",\\\"/gnsi.credentialz.v1.Credentialz/RotateAccountCredentials\\\",\\\"/gnsi.credentialz.v1.Credentialz/RotateHostParameters\\\",\\\"/gnoi.certificate.CertificateManagement/Rotate\\\",\\\"/gnoi.certificate.CertificateManagement/Install\\\",\\\"/gnoi.certificate.CertificateManagement/LoadCertificate\\\",\\\"/gnoi.certificate.CertificateManagement/GenerateCSR\\\",\\\"/gnoi.file.File/Remove\\\"]}}]}\" | sudo tee /persist/sys/gnsi/authz/policy.json \u0026amp;\u0026amp; sleep 11\u003c/span\u003e\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eRun the following CLI command can be ran which will disable all gNOI RPC\u2019s.\u003c/p\u003e\u003cpre\u003eswitch#\u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003ebash timeout 100 echo \"{\\\"name\\\":\\\"block gNOI RPCs policy\\\",\\\"allow_rules\\\":[{\\\"name\\\":\\\"allow_all\\\"}],\\\"deny_rules\\\":[{\\\"name\\\":\\\"no-one-can-use-any-gnoi\\\",\\\"request\\\":{\\\"paths\\\":[\\\"/gnoi.*\\\"]}}]}\" | sudo tee /persist/sys/gnsi/authz/policy.json \u0026amp;\u0026amp; sleep 11\u003c/span\u003e\u003c/pre\u003e"
            }
          ],
          "value": "For releases with gNSI Authz (EOS 4.31.0F and later releases), the gNOI RPC\u2019s can be blocked using gNSI Authz.\n\nFirst enable gNSI Authz service by adding the following config:\n\nswitch(config)#management api gnsi\nswitch(config-mgmt-api-gnsi)#service authz\n(config-mgmt-api-gnsi)#transport gnmi [NAME]\n\n\n\u00a0\n\nWhere [NAME] is the name of the running gNMI transport which gNSI will run on. Adding this config will cause the named gNMI transport to reload.\n\nFor CVE-2025-1260 the following CLI command (highlighted in yellow following the switch prompt) can be run which will disable all gNOI Set RPC\u2019s.\n\nswitch#bash timeout 100 echo \"{\\\"name\\\":\\\"block gNOI SET RPC\u0027s policy\\\",\\\"allow_rules\\\":[{\\\"name\\\":\\\"allow_all\\\"}],\\\"deny_rules\\\":[{\\\"name\\\":\\\"no-gnoi-set\\\",\\\"request\\\":{\\\"paths\\\":[\\\"/gnoi.certificate.CertificateManagement/RevokeCertificates\\\",\\\"/gnoi.os.OS/Activate\\\",\\\"/gnoi.certificate.CertificateManagement/LoadCertificateAuthorityBundle\\\",\\\"/gnoi.packet_link_qualification.LinkQualification/Create\\\",\\\"/gnoi.system.System/Reboot\\\",\\\"/gnsi.certz.v1.Certz/Rotate\\\",\\\"/gnoi.system.System/SwitchControlProcessor\\\",\\\"/gnoi.packet_link_qualification.LinkQualification/Delete\\\",\\\"/gnsi.certz.v1.Certz/DeleteProfile\\\",\\\"/gsii.v1.gSII/Modify\\\",\\\"/gnoi.file.File/Put\\\",\\\"/gnoi.system.System/SetPackage\\\",\\\"/gnsi.pathz.v1.Pathz/Rotate\\\",\\\"/gnmi.gNMI/Set\\\",\\\"/gnoi.system.System/CancelReboot\\\",\\\"/gnoi.system.System/KillProcess\\\",\\\"/gnoi.file.File/TransferToRemote\\\",\\\"/gnoi.os.OS/Install\\\",\\\"/gnsi.authz.v1.Authz/Rotate\\\",\\\"/gnoi.factory_reset.FactoryReset/Start\\\",\\\"/gnsi.certz.v1.Certz/AddProfile\\\",\\\"/gnsi.credentialz.v1.Credentialz/RotateAccountCredentials\\\",\\\"/gnsi.credentialz.v1.Credentialz/RotateHostParameters\\\",\\\"/gnoi.certificate.CertificateManagement/Rotate\\\",\\\"/gnoi.certificate.CertificateManagement/Install\\\",\\\"/gnoi.certificate.CertificateManagement/LoadCertificate\\\",\\\"/gnoi.certificate.CertificateManagement/GenerateCSR\\\",\\\"/gnoi.file.File/Remove\\\"]}}]}\" | sudo tee /persist/sys/gnsi/authz/policy.json \u0026\u0026 sleep 11\n\n\n\u00a0\n\nRun the following CLI command can be ran which will disable all gNOI RPC\u2019s.\n\nswitch#bash timeout 100 echo \"{\\\"name\\\":\\\"block gNOI RPCs policy\\\",\\\"allow_rules\\\":[{\\\"name\\\":\\\"allow_all\\\"}],\\\"deny_rules\\\":[{\\\"name\\\":\\\"no-one-can-use-any-gnoi\\\",\\\"request\\\":{\\\"paths\\\":[\\\"/gnoi.*\\\"]}}]}\" | sudo tee /persist/sys/gnsi/authz/policy.json \u0026\u0026 sleep 11"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
    "assignerShortName": "Arista",
    "cveId": "CVE-2025-1260",
    "datePublished": "2025-03-04T19:49:00.278Z",
    "dateReserved": "2025-02-12T18:10:28.745Z",
    "dateUpdated": "2025-03-04T20:41:46.732Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-1260\",\"sourceIdentifier\":\"psirt@arista.com\",\"published\":\"2025-03-04T20:15:37.133\",\"lastModified\":\"2025-03-04T20:15:37.133\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This issue\u00a0can result in unexpected configuration/operations being applied to the switch.\"},{\"lang\":\"es\",\"value\":\"En las plataformas afectadas que ejecutan Arista EOS con OpenConfig configurado, se puede ejecutar una solicitud gNOI cuando deber\u00eda haber sido rechazada. Este problema puede provocar que se apliquen operaciones o configuraciones inesperadas al conmutador.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@arista.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"psirt@arista.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"references\":[{\"url\":\"https://www.arista.com/en/support/advisories-notices/security-advisory/21098-security-advisory-0111\",\"source\":\"psirt@arista.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-1260\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-04T20:41:36.492094Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-04T20:41:41.824Z\"}}], \"cna\": {\"title\": \"On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected.\", \"source\": {\"defect\": [\"1015822\"], \"advisory\": \"SA 111\", \"discovery\": \"INTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-115\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-115 Authentication Bypass\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Arista Networks\", \"product\": \"EOS\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.33.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.33.1\"}, {\"status\": \"affected\", \"version\": \"4.32.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.32.3\"}, {\"status\": \"affected\", \"version\": \"4.31.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.31.5\"}, {\"status\": \"affected\", \"version\": \"4.30.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.30.8\"}, {\"status\": \"affected\", \"version\": \"4.29.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.29.9\"}, {\"status\": \"affected\", \"version\": \"4.28.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.28.12\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see  EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \\n\\nCVE-2025-1259 is fixed in the following releases:\\n\\n  *  4.33.2 and later releases in the 4.33.x train\\n  *  4.32.4 and later releases in the 4.32.x train\\n  *  4.31.6 and later releases in the 4.31.x train\\n  *  4.30.9 and later releases in the 4.30.x train\\n  *  4.29.10 and later releases in the 4.29.x train\\n  *  4.28.13 and later releases in the 4.28.x train\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\\\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cp\u003eCVE-2025-1259 is fixed in the following releases:\u003c/p\u003e\u003cul\u003e\u003cli\u003e4.33.2 and later releases in the 4.33.x train\u003c/li\u003e\u003cli\u003e4.32.4 and later releases in the 4.32.x train\u003c/li\u003e\u003cli\u003e4.31.6 and later releases in the 4.31.x train\u003c/li\u003e\u003cli\u003e4.30.9 and later releases in the 4.30.x train\u003c/li\u003e\u003cli\u003e4.29.10 and later releases in the 4.29.x train\u003c/li\u003e\u003cli\u003e4.28.13 and later releases in the 4.28.x train\u003c/li\u003e\u003c/ul\u003e\", \"base64\": false}]}], \"datePublic\": \"2025-02-25T16:00:00.000Z\", \"references\": [{\"url\": \"https://www.arista.com/en/support/advisories-notices/security-advisory/21098-security-advisory-0111\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"For releases with gNSI Authz (EOS 4.31.0F and later releases), the gNOI RPC\\u2019s can be blocked using gNSI Authz.\\n\\nFirst enable gNSI Authz service by adding the following config:\\n\\nswitch(config)#management api gnsi\\nswitch(config-mgmt-api-gnsi)#service authz\\n(config-mgmt-api-gnsi)#transport gnmi [NAME]\\n\\n\\n\\u00a0\\n\\nWhere [NAME] is the name of the running gNMI transport which gNSI will run on. Adding this config will cause the named gNMI transport to reload.\\n\\nFor CVE-2025-1260 the following CLI command (highlighted in yellow following the switch prompt) can be run which will disable all gNOI Set RPC\\u2019s.\\n\\nswitch#bash timeout 100 echo \\\"{\\\\\\\"name\\\\\\\":\\\\\\\"block gNOI SET RPC\u0027s policy\\\\\\\",\\\\\\\"allow_rules\\\\\\\":[{\\\\\\\"name\\\\\\\":\\\\\\\"allow_all\\\\\\\"}],\\\\\\\"deny_rules\\\\\\\":[{\\\\\\\"name\\\\\\\":\\\\\\\"no-gnoi-set\\\\\\\",\\\\\\\"request\\\\\\\":{\\\\\\\"paths\\\\\\\":[\\\\\\\"/gnoi.certificate.CertificateManagement/RevokeCertificates\\\\\\\",\\\\\\\"/gnoi.os.OS/Activate\\\\\\\",\\\\\\\"/gnoi.certificate.CertificateManagement/LoadCertificateAuthorityBundle\\\\\\\",\\\\\\\"/gnoi.packet_link_qualification.LinkQualification/Create\\\\\\\",\\\\\\\"/gnoi.system.System/Reboot\\\\\\\",\\\\\\\"/gnsi.certz.v1.Certz/Rotate\\\\\\\",\\\\\\\"/gnoi.system.System/SwitchControlProcessor\\\\\\\",\\\\\\\"/gnoi.packet_link_qualification.LinkQualification/Delete\\\\\\\",\\\\\\\"/gnsi.certz.v1.Certz/DeleteProfile\\\\\\\",\\\\\\\"/gsii.v1.gSII/Modify\\\\\\\",\\\\\\\"/gnoi.file.File/Put\\\\\\\",\\\\\\\"/gnoi.system.System/SetPackage\\\\\\\",\\\\\\\"/gnsi.pathz.v1.Pathz/Rotate\\\\\\\",\\\\\\\"/gnmi.gNMI/Set\\\\\\\",\\\\\\\"/gnoi.system.System/CancelReboot\\\\\\\",\\\\\\\"/gnoi.system.System/KillProcess\\\\\\\",\\\\\\\"/gnoi.file.File/TransferToRemote\\\\\\\",\\\\\\\"/gnoi.os.OS/Install\\\\\\\",\\\\\\\"/gnsi.authz.v1.Authz/Rotate\\\\\\\",\\\\\\\"/gnoi.factory_reset.FactoryReset/Start\\\\\\\",\\\\\\\"/gnsi.certz.v1.Certz/AddProfile\\\\\\\",\\\\\\\"/gnsi.credentialz.v1.Credentialz/RotateAccountCredentials\\\\\\\",\\\\\\\"/gnsi.credentialz.v1.Credentialz/RotateHostParameters\\\\\\\",\\\\\\\"/gnoi.certificate.CertificateManagement/Rotate\\\\\\\",\\\\\\\"/gnoi.certificate.CertificateManagement/Install\\\\\\\",\\\\\\\"/gnoi.certificate.CertificateManagement/LoadCertificate\\\\\\\",\\\\\\\"/gnoi.certificate.CertificateManagement/GenerateCSR\\\\\\\",\\\\\\\"/gnoi.file.File/Remove\\\\\\\"]}}]}\\\" | sudo tee /persist/sys/gnsi/authz/policy.json \u0026\u0026 sleep 11\\n\\n\\n\\u00a0\\n\\nRun the following CLI command can be ran which will disable all gNOI RPC\\u2019s.\\n\\nswitch#bash timeout 100 echo \\\"{\\\\\\\"name\\\\\\\":\\\\\\\"block gNOI RPCs policy\\\\\\\",\\\\\\\"allow_rules\\\\\\\":[{\\\\\\\"name\\\\\\\":\\\\\\\"allow_all\\\\\\\"}],\\\\\\\"deny_rules\\\\\\\":[{\\\\\\\"name\\\\\\\":\\\\\\\"no-one-can-use-any-gnoi\\\\\\\",\\\\\\\"request\\\\\\\":{\\\\\\\"paths\\\\\\\":[\\\\\\\"/gnoi.*\\\\\\\"]}}]}\\\" | sudo tee /persist/sys/gnsi/authz/policy.json \u0026\u0026 sleep 11\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eFor releases with gNSI Authz (EOS 4.31.0F and later releases), the gNOI RPC\\u2019s can be blocked using gNSI Authz.\u003c/p\u003e\u003cp\u003eFirst enable gNSI Authz service by adding the following config:\u003c/p\u003e\u003cpre\u003eswitch(config)#management api gnsi\\nswitch(config-mgmt-api-gnsi)#service authz\\n(config-mgmt-api-gnsi)#transport gnmi [NAME]\\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eWhere [NAME] is the name of the running gNMI transport which gNSI will run on. Adding this config will cause the named gNMI transport to reload.\u003c/p\u003e\u003cp\u003eFor CVE-2025-1260 the following CLI command (highlighted in yellow following the switch prompt) can be run which will disable all gNOI Set RPC\\u2019s.\u003c/p\u003e\u003cpre\u003eswitch#\u003cspan style=\\\"background-color: rgb(255, 255, 0);\\\"\u003ebash timeout 100 echo \\\"{\\\\\\\"name\\\\\\\":\\\\\\\"block gNOI SET RPC\u0027s policy\\\\\\\",\\\\\\\"allow_rules\\\\\\\":[{\\\\\\\"name\\\\\\\":\\\\\\\"allow_all\\\\\\\"}],\\\\\\\"deny_rules\\\\\\\":[{\\\\\\\"name\\\\\\\":\\\\\\\"no-gnoi-set\\\\\\\",\\\\\\\"request\\\\\\\":{\\\\\\\"paths\\\\\\\":[\\\\\\\"/gnoi.certificate.CertificateManagement/RevokeCertificates\\\\\\\",\\\\\\\"/gnoi.os.OS/Activate\\\\\\\",\\\\\\\"/gnoi.certificate.CertificateManagement/LoadCertificateAuthorityBundle\\\\\\\",\\\\\\\"/gnoi.packet_link_qualification.LinkQualification/Create\\\\\\\",\\\\\\\"/gnoi.system.System/Reboot\\\\\\\",\\\\\\\"/gnsi.certz.v1.Certz/Rotate\\\\\\\",\\\\\\\"/gnoi.system.System/SwitchControlProcessor\\\\\\\",\\\\\\\"/gnoi.packet_link_qualification.LinkQualification/Delete\\\\\\\",\\\\\\\"/gnsi.certz.v1.Certz/DeleteProfile\\\\\\\",\\\\\\\"/gsii.v1.gSII/Modify\\\\\\\",\\\\\\\"/gnoi.file.File/Put\\\\\\\",\\\\\\\"/gnoi.system.System/SetPackage\\\\\\\",\\\\\\\"/gnsi.pathz.v1.Pathz/Rotate\\\\\\\",\\\\\\\"/gnmi.gNMI/Set\\\\\\\",\\\\\\\"/gnoi.system.System/CancelReboot\\\\\\\",\\\\\\\"/gnoi.system.System/KillProcess\\\\\\\",\\\\\\\"/gnoi.file.File/TransferToRemote\\\\\\\",\\\\\\\"/gnoi.os.OS/Install\\\\\\\",\\\\\\\"/gnsi.authz.v1.Authz/Rotate\\\\\\\",\\\\\\\"/gnoi.factory_reset.FactoryReset/Start\\\\\\\",\\\\\\\"/gnsi.certz.v1.Certz/AddProfile\\\\\\\",\\\\\\\"/gnsi.credentialz.v1.Credentialz/RotateAccountCredentials\\\\\\\",\\\\\\\"/gnsi.credentialz.v1.Credentialz/RotateHostParameters\\\\\\\",\\\\\\\"/gnoi.certificate.CertificateManagement/Rotate\\\\\\\",\\\\\\\"/gnoi.certificate.CertificateManagement/Install\\\\\\\",\\\\\\\"/gnoi.certificate.CertificateManagement/LoadCertificate\\\\\\\",\\\\\\\"/gnoi.certificate.CertificateManagement/GenerateCSR\\\\\\\",\\\\\\\"/gnoi.file.File/Remove\\\\\\\"]}}]}\\\" | sudo tee /persist/sys/gnsi/authz/policy.json \u0026amp;\u0026amp; sleep 11\u003c/span\u003e\\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eRun the following CLI command can be ran which will disable all gNOI RPC\\u2019s.\u003c/p\u003e\u003cpre\u003eswitch#\u003cspan style=\\\"background-color: rgb(255, 255, 0);\\\"\u003ebash timeout 100 echo \\\"{\\\\\\\"name\\\\\\\":\\\\\\\"block gNOI RPCs policy\\\\\\\",\\\\\\\"allow_rules\\\\\\\":[{\\\\\\\"name\\\\\\\":\\\\\\\"allow_all\\\\\\\"}],\\\\\\\"deny_rules\\\\\\\":[{\\\\\\\"name\\\\\\\":\\\\\\\"no-one-can-use-any-gnoi\\\\\\\",\\\\\\\"request\\\\\\\":{\\\\\\\"paths\\\\\\\":[\\\\\\\"/gnoi.*\\\\\\\"]}}]}\\\" | sudo tee /persist/sys/gnsi/authz/policy.json \u0026amp;\u0026amp; sleep 11\u003c/span\u003e\u003c/pre\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This issue\\u00a0can result in unexpected configuration/operations being applied to the switch.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eOn affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This issue\u0026nbsp;\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003ecan result in unexpected configuration/operations being applied to the switch.\u003c/span\u003e\u003c/span\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284\"}]}], \"configurations\": [{\"lang\": \"en\", \"value\": \"To be vulnerable to CVE-2025-1259 and CVE-2025-1260 the only condition is that OpenConfig must be enabled with a gNOI server.\\n\\nswitch(config-gnmi-transport-default)#show management api gnmi\\nTransport: default\\nEnabled: yes\\nServer: running on port 6030, in default VRF\\nSSL profile: none\\nQoS DSCP: none\\nAuthorization required: no\\nAccounting requests: no\\nNotification timestamp: last change time\\nListen addresses: ::\\nAuthentication username priority: x509-spiffe, metadata, x509-common-name\\n\\n\\n\\u00a0\\n\\nIf OpenConfig is not configured or OpenConfig is configured with no gNOI server, then there is no exposure to this issue and the message will look like.\\n\\nswitch(config)#show management api gnmi \\nEnabled: no transports enabled\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eTo be vulnerable to CVE-2025-1259 and CVE-2025-1260 the only condition is that OpenConfig must be enabled with a gNOI server.\u003c/p\u003e\u003cpre\u003eswitch(config-gnmi-transport-default)#show management api gnmi\\nTransport: default\\nEnabled: \u003cspan style=\\\"background-color: rgb(255, 255, 0);\\\"\u003eyes\u003c/span\u003e\\nServer: running on port 6030, in default VRF\\nSSL profile: none\\nQoS DSCP: none\\nAuthorization required: no\\nAccounting requests: no\\nNotification timestamp: last change time\\nListen addresses: ::\\nAuthentication username priority: x509-spiffe, metadata, x509-common-name\\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIf OpenConfig is not configured or OpenConfig is configured with no gNOI server, then there is no exposure to this issue and the message will look like.\u003c/p\u003e\u003cpre\u003eswitch(config)#show management api gnmi \\nEnabled: \u003cspan style=\\\"background-color: rgb(255, 255, 0);\\\"\u003eno transports enabled\u003c/span\u003e\u003c/pre\u003e\u003cbr\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7\", \"shortName\": \"Arista\", \"dateUpdated\": \"2025-03-04T19:49:00.278Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-1260\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-04T20:41:46.732Z\", \"dateReserved\": \"2025-02-12T18:10:28.745Z\", \"assignerOrgId\": \"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7\", \"datePublished\": \"2025-03-04T19:49:00.278Z\", \"assignerShortName\": \"Arista\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.