CVE-2021-28496: 
NixOS vulnerability analysis and mitigation

On systems running Arista EOS and CloudEOS, a vulnerability was discovered that affects multiple software versions. The vulnerability (CVE-2021-28496) was identified on October 19, 2021, where BiDirectional Forwarding Detection (BFD) passwords configured in shared secret profiles could be exposed through eAPI or other JSON outputs to authenticated users on the device. The affected versions include all releases in 4.22.x train, 4.23.9 and below releases in the 4.23.x train, 4.24.7 and below releases in the 4.24.x train, 4.25.4 and below releases in the 4.25.x train, and 4.26.1 and below releases in the 4.26.x train (Arista Advisory).

The vulnerability has been assigned a CVSSv3.1 Base Score of 5.7 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). This is a platform-independent vulnerability affecting all systems running EOS and CloudEOS with the identified versions. The issue specifically occurs when using shared secret profiles, where the BFD password configuration is exposed through eAPI or JSON outputs to authenticated users (Arista Advisory).

The vulnerability allows authenticated users to view BFD passwords that are configured in shared secret profiles through eAPI or JSON outputs. This exposure of sensitive authentication credentials could potentially compromise the security of BFD sessions (Arista Advisory).

As an immediate mitigation, administrators can implement role-based authorization to restrict access to the related CLI show commands. The recommended permanent solution is to upgrade to the fixed versions: 4.23.10 and later releases, 4.24.8 and later releases, 4.25.5 and later releases, or 4.26.2 and later releases. For immediate remediation, version-specific hotfixes are available for affected versions (Arista Advisory).