CVE-2025-1260

Solution:

• The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades CVE-2025-1259 is fixed in the following releases: * 4.33.2 and later releases in the 4.33.x train * 4.32.4 and later releases in the 4.32.x train * 4.31.6 and later releases in the 4.31.x train * 4.30.9 and later releases in the 4.30.x train * 4.29.10 and later releases in the 4.29.x train * 4.28.13 and later releases in the 4.28.x train

Workaround:

• For releases with gNSI Authz (EOS 4.31.0F and later releases), the gNOI RPC’s can be blocked using gNSI Authz. First enable gNSI Authz service by adding the following config: switch(config)#management api gnsi switch(config-mgmt-api-gnsi)#service authz (config-mgmt-api-gnsi)#transport gnmi [NAME]   Where [NAME] is the name of the running gNMI transport which gNSI will run on. Adding this config will cause the named gNMI transport to reload. For CVE-2025-1260 the following CLI command (highlighted in yellow following the switch prompt) can be run which will disable all gNOI Set RPC’s. switch#bash timeout 100 echo "{\"name\":\"block gNOI SET RPC's policy\",\"allow_rules\":[{\"name\":\"allow_all\"}],\"deny_rules\":[{\"name\":\"no-gnoi-set\",\"request\":{\"paths\":[\"/gnoi.certificate.CertificateManagement/RevokeCertificates\",\"/gnoi.os.OS/Activate\",\"/gnoi.certificate.CertificateManagement/LoadCertificateAuthorityBundle\",\"/gnoi.packet_link_qualification.LinkQualification/Create\",\"/gnoi.system.System/Reboot\",\"/gnsi.certz.v1.Certz/Rotate\",\"/gnoi.system.System/SwitchControlProcessor\",\"/gnoi.packet_link_qualification.LinkQualification/Delete\",\"/gnsi.certz.v1.Certz/DeleteProfile\",\"/gsii.v1.gSII/Modify\",\"/gnoi.file.File/Put\",\"/gnoi.system.System/SetPackage\",\"/gnsi.pathz.v1.Pathz/Rotate\",\"/gnmi.gNMI/Set\",\"/gnoi.system.System/CancelReboot\",\"/gnoi.system.System/KillProcess\",\"/gnoi.file.File/TransferToRemote\",\"/gnoi.os.OS/Install\",\"/gnsi.authz.v1.Authz/Rotate\",\"/gnoi.factory_reset.FactoryReset/Start\",\"/gnsi.certz.v1.Certz/AddProfile\",\"/gnsi.credentialz.v1.Credentialz/RotateAccountCredentials\",\"/gnsi.credentialz.v1.Credentialz/RotateHostParameters\",\"/gnoi.certificate.CertificateManagement/Rotate\",\"/gnoi.certificate.CertificateManagement/Install\",\"/gnoi.certificate.CertificateManagement/LoadCertificate\",\"/gnoi.certificate.CertificateManagement/GenerateCSR\",\"/gnoi.file.File/Remove\"]}}]}" | sudo tee /persist/sys/gnsi/authz/policy.json && sleep 11   Run the following CLI command can be ran which will disable all gNOI RPC’s. switch#bash timeout 100 echo "{\"name\":\"block gNOI RPCs policy\",\"allow_rules\":[{\"name\":\"allow_all\"}],\"deny_rules\":[{\"name\":\"no-one-can-use-any-gnoi\",\"request\":{\"paths\":[\"/gnoi.*\"]}}]}" | sudo tee /persist/sys/gnsi/authz/policy.json && sleep 11