CVE-2021-28505: 
NixOS vulnerability analysis and mitigation

CVE-2021-28505 affects Arista EOS platforms and was discovered internally by Arista. The vulnerability was disclosed on March 29th, 2022. The issue affects specific versions of EOS software (4.26.3M and below in 4.26.x train, and 4.27.0F in 4.27.x train) and multiple hardware platforms including CCS-710P series, CCS-720XP series, and several DCS series switches (Arista Advisory).

The vulnerability occurs when a VXLAN match rule exists in an IPv4 access-list that is applied to the ingress of an L2 or an L3 port/SVI. In this scenario, the VXLAN rule and subsequent ACL rules in that access list will ignore the specified IP protocol. The vulnerability has been assigned a CVSSv3.1 Base Score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and is classified under CWE-284 (Improper Access Control) (Arista Advisory).

When exploited, the vulnerability causes the system to ignore the IP protocol specified in the VXLAN rule and subsequent rules of the IPv4 access list. This can result in unexpected traffic flows that were otherwise expected to be filtered by the access list. For example, if an access list contains a rule matching VXLAN traffic followed by other protocol-specific rules, the device would ignore the IP protocol field in these rules, potentially allowing unauthorized traffic (Arista Advisory).

As a temporary mitigation, Arista recommends replacing the 'vxlan' IP protocol match with a match on IP protocol 'udp' and Layer 4 destination port for VXLAN encapsulated packets (default port 4789). For a permanent fix, users should upgrade to remediated software versions: 4.26.4M or later releases in the 4.26.x train, or 4.27.1F or later releases in the 4.27.x train (Arista Advisory).