Introduction
A missing authentication check in Arista EOS allows an attacker with low privilege network access to push arbitrary configuration changes to datacenter switches through the gNMI Set RPC, effectively bypassing authorization controls on one of the most powerful management plane operations available. With Arista commanding roughly 19% of the datacenter Ethernet switch market and serving as the backbone for numerous hyperscale and enterprise fabrics, this vulnerability (scored CVSS 9.6, Critical) has the potential to affect a significant portion of modern datacenter infrastructure.
The vulnerability, tracked as CVE-2024-27892, specifically targets environments where OpenConfig is enabled with an SSL profile. While this narrows the exposed attack surface, it simultaneously identifies the highest value targets: large scale enterprises and cloud providers running automated, model driven network management.
Technical Information
Root Cause: Missing Authentication for Critical Function (CWE-306)
CVE-2024-27892 is classified under CWE-306, which describes a condition where software fails to perform any authentication for a function that either requires a provable user identity or consumes significant system resources. In this case, the critical function is the gNMI (gRPC Network Management Interface) Set RPC.
The gNMI protocol, defined by the OpenConfig project, provides a gRPC based method for modifying and retrieving configuration from network devices. The Set RPC is specifically designed to modify configurable attributes associated with supported data models. It is, by design, one of the most powerful operations available through the management interface. When OpenConfig is configured on an Arista EOS switch with an SSL profile, the gNMI Set request should be subject to authentication and authorization checks. Due to this vulnerability, those checks are bypassed, allowing the Set request to execute when it should have been rejected.
The fact that this vulnerability persisted across eight major EOS release trains (4.24 through 4.31) suggests that the per RPC authorization check for the gNMI Set operation was architecturally missing rather than a regression in a specific release. This is consistent with CWE-306's characterization of missing (rather than broken) authentication.
CVSS Vector Breakdown
The CVSSv3.1 vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H reveals several critical characteristics:
| Vector Component | Value | Interpretation |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely over the network |
| Attack Complexity (AC) | Low (L) | No special conditions required beyond OpenConfig with SSL |
| Privileges Required (PR) | Low (L) | Attacker needs low privilege access |
| User Interaction (UI) | None (N) | No user interaction needed |
| Scope (S) | Changed (C) | Impact crosses security boundaries |
| Confidentiality (C) | None (N) | No direct information disclosure |
| Integrity (I) | High (H) | Full control over configuration integrity |
| Availability (A) | High (H) | Can disrupt switch operation |
It is worth noting a scoring discrepancy between CVSS versions: under CVSSv4.0, the CNA assessed score drops to 7.2 (High) with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N. This 2.4 point gap reflects fundamental differences in how the two scoring systems handle scope changes and cross boundary impact. Organizations should treat this as at minimum a High severity issue regardless of which CVSS version they use for risk prioritization.
Attack Flow
Two preconditions must be met for exploitation:
- OpenConfig must be enabled on the target Arista EOS switch.
- An SSL profile must be configured for the gNMI transport.
Once these conditions are satisfied, the attack proceeds as follows:
-
The attacker gains low privilege network access to the gNMI endpoint on the target switch. This typically means access to the management network or any network segment where the gNMI service is reachable.
-
The attacker constructs a gNMI Set request targeting any configurable attribute supported by the OpenConfig data model. Because the authorization check is missing, the request is not validated against the user's privilege level.
-
The gNMI Set request is accepted and applied to the switch configuration. The attacker can now modify access control lists to permit unauthorized traffic, alter routing protocol configurations to redirect traffic, change interface configurations to create network loops or partitions, or disable security features.
-
In a datacenter spine leaf architecture, compromising a spine switch's configuration through this method could enable traffic interception, lateral movement, or denial of service across the entire fabric.
The Changed scope (S:C) in the CVSS vector reflects this cascading impact: the vulnerability exists in the gNMI authorization logic, but the impact extends to the entire network domain served by the compromised switch.
Related Vulnerability: CVE-2024-27890
The same Arista advisory (Security Advisory 0099) documents a sibling vulnerability, CVE-2024-27890, which shares the same CWE classification and CVSS score of 9.6. The key difference is that CVE-2024-27890 requires only OpenConfig to be enabled, with no SSL profile needed. This makes CVE-2024-27890 easier to exploit, as it has a lower prerequisite bar. Both vulnerabilities are resolved in the same fixed releases. CVE-2024-27892 is tracked internally as BUG 912475, while CVE-2024-27890 is tracked as BUG 747512.
Patch Information
Arista Networks addressed CVE-2024-27892 through updated releases of EOS, documented in Security Advisory 0099 (initially published July 2, 2024, last revised July 25, 2024). The fix ensures that gNMI Set requests are properly validated and rejected when the requesting user lacks appropriate authorization, closing the gap in the OpenConfig/Octa agent's authentication enforcement. The patch is tracked internally as BUG 912475.
Fixed EOS Versions
| EOS Train | First Fixed Release |
|---|---|
| 4.31.x | 4.31.3M and later |
| 4.30.x | 4.30.6M and later |
| 4.29.x | 4.29.8M and later |
| 4.28.x | 4.28.11M and later |
To fully resolve both CVE-2024-27892 and CVE-2024-27890, Arista recommends upgrading to at least 4.30.6M or 4.31.3M.
Hotfix Extensions
For operators unable to perform a full EOS upgrade immediately, Arista provides SWIX hotfix extension packages that can be side loaded onto specific prior EOS versions. These hotfixes jointly address both CVE-2024-27892 and CVE-2024-27890 and are available in both 32 bit and 64 bit variants for:
- EOS 4.30.5
- EOS 4.29.7
- EOS 4.28.10.1
Each hotfix is distributed as a .swix file (e.g., sa99-CVE-2024-27890_CVE-2024-27892_4.30.5_64_Hotfix.swix) and is accompanied by a SHA-512 hash for integrity verification.
Important operational note: Installing or uninstalling the hotfix will restart the OpenConfig/Octa process, potentially causing gNMI services to be unavailable for up to one minute. To ensure persistence across reboots, administrators should run copy installed-extensions boot-extensions after applying the hotfix. Full installation instructions are documented in the EOS User Manual under "Managing EOS Extensions."
Workarounds
Three workaround approaches are available for organizations that cannot immediately patch:
1. Disable gNMI Set Requests via Per RPC Authorization: Apply per RPC authorization rules ensuring no user is authorized to run the OpenConfig.Set command. This is the most targeted mitigation, as it blocks only the vulnerable Set RPC while preserving gNMI Subscribe and Get operations for telemetry collection.
2. Disable TLS: Remove the SSL profile from the gNMI transport configuration. Since CVE-2024-27892 requires an SSL profile for exploitation, removing TLS eliminates the precondition. However, this removes encryption from the management channel and is generally not recommended.
3. Disable the OpenConfig Agent Entirely: This eliminates the attack surface completely but also removes all OpenConfig/gNMI functionality.
Mitigation Strategy Comparison
| Strategy | OpenConfig Get/Subscribe Preserved | Management Encryption Preserved | Exploit Fully Blocked | Operational Disruption |
|---|---|---|---|---|
| Per RPC Authorization (no OpenConfig.Set) | Yes | Yes | Yes | Minimal |
| Disable TLS | Yes | No | Yes | Low (unencrypted channel risk) |
| Disable OpenConfig Agent | No | N/A | Yes | High (loss of telemetry/automation) |
| Software Upgrade | Yes | Yes | Yes | Moderate (planned maintenance window) |
| Hotfix Installation | Yes | Yes | Yes | Low (up to 1 minute OC/Octa restart) |
The per RPC authorization approach provides the best balance of security and operational continuity as an immediate workaround, with a software upgrade as the definitive long term fix.
Affected Systems and Versions
Affected Platforms
The vulnerability affects virtually the entire Arista EOS switching portfolio:
710, 720D, 720XP/722XPM, 750X, 7010, 7010X, 7020R, 7130 (running EOS), 7150, 7160, 7170, 7050X/X2/X3/X4, 7060X/X2/X4/X5/X6, 7250X, 7260X/X3, 7280E/R/R2/R3, 7300X/X3, 7320X, 7358X4, 7368X4, 7388X5, 7500E/R/R2/R3, 7800R3 Series, CloudEOS, cEOS-lab, and vEOS-lab.
Affected EOS Versions (CVE-2024-27892)
| Release Train | Last Affected Version |
|---|---|
| 4.31.x | 4.31.2F and below |
| 4.30.x | 4.30.5M and below |
| 4.29.x | 4.29.7M and below |
| 4.28.x | 4.28.10M and below |
| 4.27.x | 4.27.8M and below |
| 4.26.x | 4.26.9M and below |
| 4.25.x | 4.25.10M and below |
| 4.24.x | 4.24.11M and below |
Vulnerable Configuration
The vulnerability requires both of the following conditions:
- OpenConfig is enabled on the switch.
- An SSL profile is configured for the gNMI transport.
If OpenConfig is not configured, or if it is configured without an SSL profile, CVE-2024-27892 is not exploitable (though CVE-2024-27890 may still apply in the latter case).
Not Affected
The following Arista products are not affected: Arista Wireless Access Points, CloudVision WiFi (virtual, physical, or cloud service), CloudVision eXchange, CloudVision Portal, CloudVision as a Service, CloudVision AGNI, Arista 7130 Systems running MOS, Arista Converged Cloud Fabric and DANZ Monitoring Fabric, Arista Network Detection and Response (NDR) Security Platform, Arista Edge Threat Management, and Arista NetVisor OS/UNUM/Insight Analytics.
Vendor Security History
Arista Networks maintains a formal Product Security Incident Response Team (PSIRT) reachable at [email protected]. The company has published 111 CVE records tracked on OpenCVE, with 64 published since 2021. Notably, zero Arista CVEs appear in CISA's Known Exploited Vulnerabilities catalog, and only 8 have a known public exploit.
Recent advisory history demonstrates active vulnerability management:
- Security Advisory 0094 (April 2024): Addressed HTTP/2 CONTINUATION flood vulnerabilities (CVE-2023-45288).
- Security Advisory 0097 (May 2024): Addressed externally reported vulnerabilities, with Arista noting no known malicious exploitation.
- Security Advisory 0099 (July 2024): Covers CVE-2024-27892 and CVE-2024-27890, initially released July 2, 2024, with two subsequent revisions updating exploitation prerequisites and hotfix availability.
A consistent pattern across Arista's advisories is the statement that the company is "not aware of any malicious exploitation in customer networks." The fact that CVE-2024-27892 was discovered internally rather than by external researchers indicates that Arista's internal security testing processes are identifying vulnerabilities proactively.
This vulnerability also highlights a broader tension in modern network automation: the same model driven management interfaces (OpenConfig/gNMI) that enable scalable, programmatic network operations also expand the attack surface for configuration manipulation. Organizations deploying network automation at scale should ensure that authorization is enforced at the per RPC level, not just at the transport authentication level.
References
- Arista Security Advisory 0099
- NVD: CVE-2024-27892
- CWE-306: Missing Authentication for Critical Function
- gRPC Network Management Interface (gNMI) Specification
- OpenConfig gNMI GitHub Repository
- CISA Known Exploited Vulnerabilities Catalog
- Arista CVEs and Security Vulnerabilities on OpenCVE
- Arista Networks Vulnerabilities: CVEs, CISA KEV and Security Analysis
- IDC: Ethernet Switch Market Growth Driven by AI Demand
- Arista Security Advisory 0094
- Arista Security Advisory 0097
- Arista Advisories and Notices



