CVE-2024-27892 PUBLISHED

On affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected (SSL Profiles Enabled).

Assigner: Arista
Reserved: 26.02.2024 Published: 04.06.2026 Updated: 04.06.2026

Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch.

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7.2

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
CVSS Score: 9.6

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Arista Networks
Product	EOS
Versions	Default: unaffected affected from 4.31.0 to 4.31.2F (incl.) affected from 4.30.0 to 4.30.5M (incl.) affected from 4.29.0 to 4.29.7M (incl.) affected from 4.28.0 to 4.28.10M (incl.) affected from 4.27.0 to 4.27.8M (incl.) affected from 4.26.0 to 4.26.9M (incl.) affected from 4.25.0 to 4.25.10M (incl.) affected from 4.24.0 to 4.24.11M (incl.)

Affected Configurations

In order to be vulnerable to CVE-2024-27892, the only condition is that OpenConfig must be enabled with an SSL profile:

switch(config-gnmi-transport-default)#show management api gnmi Transport: default Enabled: yes Server: running on port 6030, in default VRF SSL profile: profile-name QoS DSCP: none Authorization required: no Accounting requests: no Notification timestamp: last change time Listen addresses: :: Authentication username priority: x509-spiffe, metadata, x509-common-name

If OpenConfig is not configured there is no exposure to this issue and the message will look like:

switch(config)#show management api gnmi Enabled: no transports enabled

Workarounds

The workaround is to disable gNMI Set requests. This can be done by applying per RPC authorization and ensuring no user is authorized to run the OpenConfig.Set command.

switch(config-gnmi-transport-default)#show management api gnmi transport grpc default authorization requests

Alternatively, TLS can be disabled:

switch(config-gnmi-transport-default)#no ssl profile

Alternatively, the OpenConfig agent can be disabled entirely:

switch(config-gnmi-transport-default)#no management api gnmi

Solutions

The following hotfix can be applied to remediate CVE-2024-27892. The hotfix only applies to the releases listed below and no other releases.

Note: Installing/uninstalling the SWIX will cause the OpenConfig/Octa process to restart. Services may be unavailable for up to one minute.

EOS Versions 4.30.5

32 bit Version: 1.0 URL: https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_32_Hotfix.swix

SWIX hash:(SHA512) 85ec967b17231edd542800a4a5b305de93308ba5365c858470e7ce848bbc6c357be614f2f668b4a1d93c7afa2cb5e62ac12efda00874f6801dff35351da9ed93

64 bit Version: 1.0 URL: https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_64_Hotfix.swix

SWIX hash:(SHA512) 263331d15057c38e2e9c4af20f9795989ec962dc159c3136f4eb2e2370859866534b44a17ba9c2ec3249071ccfe83eb0047960693864de532de44fe36766fd70

EOS Versions 4.29.7

32 bit Version: 1.0 URL: https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_32_Hotfix.swix

SWIX hash:(SHA512) 0317d77d621fa648aa15d607c6db1a8f648da82e14e0886aea0525e0d726ff83a0ed507755b733d1644797dece85203dfe6998b65108b10ba5a9b9be8f57c4f0

64 bit Version: 1.0 URL: https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.29.7_64_Hotfix.swix

SWIX hash:(SHA512) d6d1d806fbd80d9d3972d8bb965b82cf1241c166ce960ff2af12de084c17160433188683fe48d5e3f24ba996e4b4262e95998683c50f80ce2f870fd3f02cbdc4

EOS Versions 4.28.10.1

32 bit Version: 1.0 URL: https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_32_Hotfix.swix

SWIX hash:(SHA512) 12ec36dd68decff5d81f68504dfdba0c01697153366c6de01ac5189c0250516a01d0128179155b21bd028cbbc1b634e8bc143244a2bed089824d4dc4b6c92449

64 bit Version: 1.0 URL: https://www.arista.com/support/advisories-notices/sa-download/?sa99-CVE-2024-27890_CVE-2024-27892_4.28.10.1_64_Hotfix.swix

SWIX hash:(SHA512) 2f01a806867d6ffc95bef907164b3c92058382ccda5af006f66f350575a235a6f1ed491974b68dc952947d7cf9897028efa2266411e380da6a646719a420ec52

For instructions on installation and verification of the hotfix patch, refer to the “managing eos extensions” https://www.arista.com/en/um-eos/eos-managing-eos-extensions section in the EOS User Manual. Ensure that the patch is made persistent across reboots by running the command ‘copy installed-extensions boot-extensions’.

References

https://www.arista.com/en/support/advisories-notices/security-advisory/19862-security-advisory-0099

Problem Types

CWE-306 Missing Authentication for Critical Function CWE

Impacts

CAPEC-114 Authentication Abuse