On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports. This can cause outgoing packets to incorrectly be allowed or denied.
In the example below, there are more than 3 IPv6 ACLs applied for outbound packets. All physical interfaces that are MACsec enabled, and have an IPv6 ACL applied for outbound packets, are exposed to this issue.
switch#show running-config | section access-group
interface Port-Channel1
ipv6 access-group testIp6Acl out
interface Ethernet3
ip access-group testIpAcl in
interface Ethernet45
ipv6 access-group testIp6Acl2 out
interface Ethernet46
ipv6 access-group testIp6Acl3 out
interface Ethernet47
ipv6 access-group testIp6Acl4 out
interface Vlan613
ip access-group testIpAcl out
switch>show port-channel 1 brief
Port Channel Port-Channel1:
Active Ports: Ethernet1 Ethernet5
switch>show vlan 613
VLAN Name Status Ports
<hr />
613 VLAN0613 active Cpu, Et2, Et4
switch>show mac security interface Ethernet1-$ | grep True
Ethernet1 12:15:35:24:c0:89::24193 True static SAK: Tx AN: 2
Ethernet2 12:15:35:24:c0:89::24193 True static SAK: Tx AN: 2
Ethernet5 12:15:35:24:c0:89::24193 True static SAK: Tx AN: 2
Ethernet45 12:15:35:24:c0:89::24193 True static SAK: Tx AN: 2
Interface“Out” ACLMinimum ACL count metMACsec enabledAffectedEt1YesYesYesYesEt2YesNo (only one IPv4 ACL)YesNoEt3NoNo (only one IPv4 ACL)NoNoEt4YesNo (only one IPv4 ACL)NoNoEt5YesYesYesYesEt45YesYesYesYesEt46YesYesNoNoEt47YesYesNoNo
In the above example and table:
- Ethernet46 and Ethernet47 are not exposed to this issue, because they are not MACsec enabled.
- Ethernet2, Ethernet3, and Ethernet4 are not exposed to this issue because there is only one IPv4 ACL group, which is less than the required number to be exposed for that ACL type.
- Ethernet3 is also not affected because the ACL is for incoming packets.
- Ethernet1, Ethernet5, and Ethernet45 are affected by this issue because they meet the conditions required.
The workaround is to disable MACsec on interfaces with outbound packet ACLs, or to use inbound packet ACLs where possible. Note that ingress ACLs might need to be applied to a different set of interfaces or to other devices in the network.
switch#configure
switch(config)#interface Ethernet1
switch(config-if-Et1)#no mac security profile
! or remove/replace the out ACL
! Note that you may wish to apply in ACLs to a different set of
! interfaces than out ACLs were applied to.
switch#configure
switch(config)#interface Ethernet1
switch(config-if-Et1)#mac access-group <ACL name> in
switch(config-if-Et1)#ip access-group <ACL name> in
switch(config-if-Et1)#ipv6 access-group <ACL name> in
switch(config-if-Et1)#no mac access-group out
switch(config-if-Et1)#no ip access-group out
switch(config-if-Et1)#no ipv6 access-group out
For more information about ACLs see EOS User Manual: ACLs and Route Maps https://www.arista.com/en/um-eos/eos-acls-and-route-maps .
The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.
For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades
CVE-2024-27891 has been fixed in the following releases:
- 4.32.1F and later releases in the 4.32.x train
- 4.31.3M and later releases in the 4.31.x train
- 4.30.7M and later releases in the 4.30.x train
- 4.29.8M and later releases in the 4.29.x train
- 4.28.11M and later releases in the 4.28.x train