Arista EOS: Critical Vulnerability Exposes Cleartext Transmission (CVE-2024-12378) - #CVE-2024-12378
Arista Networks has disclosed a critical vulnerability (CVE-2024-12378) in its Extensible Operating System (EOS), affecting certain versions and potentially exposing sensitive data. The flaw, with a high CVSS score of 9.1, occurs when the Tunnelsec agent restarts on systems with secure Vxlan configured, resulting in unencrypted data transmission over secure Vxlan tunnels. This vulnerability specifically impacts the 7280CR3MK Series across multiple EOS versions. Users can verify their system's vulnerability by checking the secure Vxlan configuration and monitoring tunnel status changes. Arista recommends upgrading to remediated software versions as the primary solution, with fixed versions available from 4.33.0F onwards. A temporary workaround involving the removal and re-application of security profiles for each secure VTEP is also provided.