CVE-2021-28503: 
NixOS vulnerability analysis and mitigation

The vulnerability (CVE-2021-28503) affects Arista's EOS eAPI system, where the authentication mechanism may skip re-evaluating user credentials when certificate-based authentication is used. This vulnerability was discovered internally by Arista and was disclosed on February 2nd, 2022 (Arista Advisory).

The vulnerability is classified as an Improper Authentication issue (CWE-287) with a CVSS v3.1 Base Score of 7.4 HIGH (Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H). The vulnerability affects multiple versions of EOS software including versions up to 4.26.2, 4.25.5, 4.24.7, 4.23.9, and all releases in the 4.22.x train (Arista Advisory).

When exploited, this vulnerability allows remote attackers to gain unauthorized access to the device through eAPI. The vulnerability affects all systems running EOS (including CloudEOS and vEOS-lab) with the identified versions, but does not impact other Arista products such as Wireless Access Points, CloudVision WiFi, or Arista 7130 Systems running MOS (Arista Advisory).

Temporary mitigation can be achieved by disallowing user certificate authentication via eAPI. The permanent fix is available in EOS versions 4.26.3+, 4.25.6+, 4.24.8+, and 4.23.10+. Additionally, a hotfix (SecurityAdvisoryShastaHotfix.swix) is available for immediate remediation across all affected EOS versions (Arista Advisory).