Arista EOS MACsec Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Arista EOS platforms that support MACsec, including several series of Arista switches. When MACsec is configured with valid keys, a specially crafted packet can cause the MACsec process to crash unexpectedly. This disruption can lead to a longer-term interruption of dataplane traffic. The issue arises from improper handling of certain packets, causing the MACsec agent to terminate and restart, which may temporarily alleviate the problem but does not provide a permanent solution.

Impact

Exploitation of this vulnerability causes the MACsec process to crash and restart, disrupting MACsec operations and potentially leading to longer-term interruptions in dataplane traffic.

Remediation

Users are advised to upgrade to Arista EOS versions 4.35.0F, 4.34.4M, 4.33.6M, 4.32.8M, or 4.31.10M. For more information on upgrading, consult the EOS User Manual: Upgrades and Downgrades.