CVE-2021-28507: 
NixOS vulnerability analysis and mitigation

CVE-2021-28507 is a security vulnerability discovered in Arista EOS (Extensible Operating System) where the service ACL configured for OpenConfig gNOI and OpenConfig RESTCONF could be bypassed under certain conditions, allowing denied requests to be forwarded to the agent. The vulnerability was discovered internally at Arista and was disclosed on January 11th, 2022 (Arista Advisory).

The vulnerability has been assigned a CVSSv3.1 Base Score of 5.5 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N). The issue affects multiple versions of Arista EOS, including versions 4.26.2F and below, 4.25.5.1M and below, 4.24.7M and below, 4.23.9M and below, and all releases in 4.22.x and 4.21.x trains (Arista Advisory).

When exploited, this vulnerability allows denied requests to bypass the service ACL configuration and be forwarded to the agent, potentially compromising the intended access controls. This affects systems where gNMI/gNOI is configured with service ACL or RESTCONF is configured with service ACL (Arista Advisory).

For immediate mitigation, Arista recommends upgrading to remediated software versions: 4.26.3M and later releases in the 4.26.x train, 4.25.6M and later releases in the 4.25.x train, 4.25.4.1M and later releases in the 4.25.4.x train, 4.24.8M and later releases in the 4.24.x train, or 4.23.10M and later releases in the 4.23.x train. Alternatively, a hotfix employing a proxy service (OpenConfigProxy) is available for deployment (Arista Advisory).