CVE-2024-8000

Solution:

• The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades .   CVE-2024-8000 has been fixed in the following releases: * 4.33.0M and above * 4.32.5M and above releases in the 4.32.x train * 4.31.6M and above releases in the 4.31.x train * 4.30.9M and above releases in the 4.30.x train

Workaround:

• The workaround is to re-authenticate each supplicant. This can be done by running the command “dot1x re-authenticate” on the interface post ASU. Alternatively, if the reauthentication timer is enabled, the ACL will be correctly reprogrammed once the timer has expired and re-authentication occurs. switch(Ethernet 1)#dot1x re-authenticate   Alternatively, flapping the interface will trigger reauthentication of the supplicants and correct the ACL which is installed for each mac on that interface. switch(Ethernet 1)#shut switch(Ethernet 1)#no shut   In both cases mentioned, we can verify that reauth has been triggered by checking the output of `show logging` to show the supplicant has been successfully authenticated and `show ip access-lists` to verify the ACL is installed correctly. switch(Ethernet 1)#show logging Aug 24 07:12:05 switch Dot1x: DOT1X-6-SUPPLICANT_AUTHENTICATED: Supplicant with identity 00:01:02:03:04:05, MAC 0001.0203.0405 and dynamic VLAN None successfully authenticated on port Ethernet1. switch#show ip access-lists Phone ACL bypass: disabled IP Access List 802.1x-3212953518000 [dynamic]         10 deny ip 10.1.0.0/16 20.1.0.0/16    20 permit ip from 11.0.0.0/8 to 12.0.0.0/8         30 permit tcp any any eq 80         40 permit tcp any any eq 443         50 deny ip host 192.168.1.100         Total rules configured: 5 switch#show dot1x hosts mac 0001.203.0405 detail | json {     "supplicantMac": "00:01:02:03:04:05",     "identity": "user3",     "interface": "Ethernet3/47",     "authMethod": "EAPOL",     "authStage": "SUCCESS",     "fallback": "NONE",     "callingStationId": "00:01:02:03:04:05",     "reauthBehavior": "DO-NOT-RE-AUTH",     "reauthInterval": 0,     "cacheConfTime": 0,     "vlanId": "202",     "accountingSessionId": "",     "captivePortal": "",     "captivePortalSource": "",     "aristaWebAuth": "",     "supplicantClass": "",     "filterId": "",     "framedIpAddress": "0.0.0.0",     "framedIpAddrSource": "sourceNone",     "nasFilterRules": [         "deny in ip from 10.1.0.0/16 to 20.1.0.0/16",         "permit in ip from 11.0.0.0/8 to 12.0.0.0/8",         "permit tcp any any eq 80",         "permit tcp any any eq 443",         “deny ip host 192.168.1.100"     ],     "sessionTimeout": 0,     "terminationAction": "",     "tunnelPrivateGroupId": "",     "aristaPeriodicIdentity": "",     "cachedAuthAtLinkDown": false,     "reauthTimeoutSeen": false,     "sessionCached": false,     "detail_": true } In the above example the supplicant has been re-authenticated and the nasFilterRules shows 5 rules, as before.