CVE-2025-1259

Solution:

• The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades CVE-2025-1259 is fixed in the following releases: * 4.33.2 and later releases in the 4.33.x train * 4.32.4 and later releases in the 4.32.x train * 4.31.6 and later releases in the 4.31.x train * 4.30.9 and later releases in the 4.30.x train * 4.29.10 and later releases in the 4.29.x train * 4.28.13 and later releases in the 4.28.x train

Workaround:

• For releases with gNSI Authz (EOS 4.31.0F and later releases), the gNOI RPC’s can be blocked using gNSI Authz. First enable gNSI Authz service by adding the following config: switch(config)#management api gnsi switch(config-mgmt-api-gnsi)#service authz (config-mgmt-api-gnsi)#transport gnmi [NAME]   Where [NAME] is the name of the running gNMI transport which gNSI will run on. Adding this config will cause the named gNMI transport to reload. Next update the authz policy to block access to the TransferToRemote RPC. This can be done directly on the system by updating the Authz policy file and waiting at least 10 seconds for OpenConfig to reload the changes. Note this will replace any existing authz policies located at /persist/sys/gnsi/authz/policy.json For CVE-2025-1259 the following CLI command (highlighted in yellow following the switch prompt) can be run which will disable all gNOI Get RPC’s. switch#bash timeout 100 echo "{\"name\":\"block gNOI GET RPC's policy\",\"allow_rules\":[{\"name\":\"allow_all\"}],\"deny_rules\":[{\"name\":\"no-gnoi-get\",\"request\":{\"paths\":[\"/gnoi.packet_link_qualification.LinkQualification/List\",\"/gnoi.certificate.CertificateManagement/GetCertificates\",\"/gnoi.os.OS/Verify\",\"/gnoi.healthz.Healthz/Get\",\"/gnoi.healthz.Healthz/List\",\"/gnoi.system.System/RebootStatus\",\"/gnmi.gNMI/Subscribe\",\"/gnoi.file.File/Stat\",\"/gnoi.system.System/Traceroute\",\"/gnoi.packet_link_qualification.LinkQualification/Get\",\"/gnoi.system.System/Ping\",\"/gnoi.file.File/Get\",\"/gnsi.authz.v1.Authz/Probe\",\"/gnsi.credentialz.v1.Credentialz/GetPublicKeys\",\"/gnsi.pathz.v1.Pathz/Probe\",\"/gnoi.healthz.Healthz/Acknowledge\",\"/gnsi.certz.v1.Certz/CanGenerateCSR\",\"/gnmi.gNMI/Get\",\"/gnoi.certificate.CertificateManagement/CanGenerateCSR\",\"/gnoi.healthz.Healthz/Artifact\",\"/gnsi.authz.v1.Authz/Get\",\"/gnoi.system.System/Time\",\"/gnsi.pathz.v1.Pathz/Get\",\"/gnoi.packet_link_qualification.LinkQualification/Capabilities\",\"/gnsi.acctz.v1.AcctzStream/RecordSubscribe\",\"/gnsi.credentialz.v1.Credentialz/CanGenerateKey\",\"/gnoi.healthz.Healthz/Check\",\"/gnsi.certz.v1.Certz/GetProfileList\"]}}]}" | sudo tee /persist/sys/gnsi/authz/policy.json && sleep 11