Arista EOS 802.1X Dynamic ACL Installation Vulnerability After ASU Restart

A vulnerability exists in Arista EOS versions 4.32.4M and below in the 4.32.x train, as well as in 4.31.5M and below in the 4.31.x train. On affected platforms with 802.1X configured, a dynamic Access Control List (ACL) received from the AAA server may result in only the first line of the ACL being installed after an Accelerated Software Upgrade (ASU) restart. This issue impacts supplicants with pending captive-portal authentication during ASU, leading to unauthorized traffic flows if the ACL is not correctly programmed post-ASU.

Impact

The vulnerability may cause dynamic ACLs to be improperly installed, leading to incorrect traffic flows. This could allow unauthorized traffic, depending on the ACL configuration.

Reproduction

To reproduce this vulnerability, first ensure that the device is running an affected version of Arista EOS and has 802.1X configured. Connect an external AAA server that sends a multi-line dynamic ACL. After the device undergoes an ASU restart, check the 'nasFilterRules' in the 'show dot1x hosts mac' command output. The ACL should only have one rule instead of the expected multiple lines.

Remediation

Users can re-authenticate each supplicant by running the 'dot1x re-authenticate' command on the interface after ASU. Alternatively, if the re-authentication timer is enabled, the ACL will be correctly updated once the timer expires and re-authentication occurs. Flapping the interface will also trigger re-authentication and correct the ACL. For a permanent fix, upgrade to Arista EOS versions 4.33.0M and above, or 4.32.5M, 4.31.6M, or 4.30.9M and above, depending on the current version.