Arista EOS IPsec Anti-Replay Vulnerability on Affected Platforms

A vulnerability exists in Arista EOS on platforms with hardware IPSec support, specifically in versions 4.33.2F and below in the 4.33.x train. When IPsec is enabled and anti-replay protection is configured, the operating system may improperly handle duplicate encrypted packets. Instead of dropping these packets as normal anti-replay protocols dictate, they are erroneously forwarded. This issue does not impact VXLANSec or MACSec encryption functionalities.

Impact

Exploitation of this vulnerability can lead to improper handling of duplicate encrypted packets in IPsec, allowing these packets to be forwarded instead of dropped as required by anti-replay protection. This could potentially disrupt network traffic management and security protocols.

Remediation

To address this vulnerability, users are advised to upgrade to Arista EOS version 4.33.3F or later releases in the 4.33.x train. For guidance on upgrading, refer to the EOS User Manual section on Upgrades and Downgrades.