Arista EOS Ingress ACL Enforcement Vulnerability on 7060X6 Series Switches

A vulnerability exists in Arista EOS version 4.33.2F within the 4.33.x train, specifically on 7060X6 Series switches. This vulnerability can cause IPv4 ingress ACL, MAC ingress ACL, or IPv6 standard ingress ACL policies to be improperly enforced on affected Ethernet or LAG interfaces. As a result, incoming packets may be incorrectly allowed or denied, leading to two primary issues: packets that should be permitted could be dropped, and packets that should be dropped might be allowed.

Impact

This vulnerability can cause unexpected behavior in ACL enforcement, such as dropping packets that should be allowed or failing to drop packets that should be denied, allowing traffic to reach devices unexpectedly.

Remediation

Users are advised to upgrade to Arista EOS versions 4.33.2.1F, 4.33.3F, or later releases in the 4.33.x train. For more information on upgrading, consult the EOS User Manual: Upgrades and Downgrades.