CVE-2021-28504: 
NixOS vulnerability analysis and mitigation

CVE-2021-28504 affects Arista Strata family products with the 'TCAM profile' feature enabled. When a Port IPv4 access-list has a rule matching 'vxlan' as protocol, that rule and subsequent rules do not match on IP protocol field as expected. The vulnerability was discovered and disclosed in March 2021 (Arista Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). It is classified under CWE-863 (Incorrect Authorization) and CWE-284 (Improper Access Control). The issue specifically affects the TCAM profile feature's handling of VXLAN protocol matching in IPv4 access-lists (NVD).

When exploited, the vulnerability causes the system to ignore the IP protocol specified in the VXLAN rule and subsequent rules of the IPv4 access list. This can result in unexpected traffic flows that were intended to be filtered by the access list, potentially leading to unauthorized network access (Arista Advisory).

As a temporary mitigation, administrators can replace the 'vxlan' IP protocol match with a match on IP protocol 'udp' and Layer 4 destination port for VXLAN encapsulated packets (default 4789). For permanent resolution, Arista recommends upgrading to EOS version 4.26.4m or later in the 4.26.x train, or 4.27.1f or later in the 4.27.x train (Arista Advisory).