CVE-2021-28508: 
NixOS vulnerability analysis and mitigation

CVE-2021-28508 is a vulnerability discovered in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols. The vulnerability was internally discovered and disclosed on May 26, 2022. It affects Arista EOS-based platforms that support IPsec with specific versions of TerminAttr and EOS operating systems (Vendor Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.8 (MEDIUM) by Arista Networks and 6.1 (MEDIUM) by NVD. It is categorized under CWE-319 (Cleartext Transmission of Sensitive Information) by NIST and CWE-255 (Credentials Management Errors) by Arista Networks. The vulnerability requires TerminAttr or Octa to be enabled on the device, along with IPsec configuration using specific security profiles (NVD, Vendor Advisory).

When exploited, the vulnerability allows TerminAttr to leak IPsec sensitive data in clear text in CVP to other authorized users. This exposure could potentially enable authorized users to decrypt or modify IPsec traffic on the device (Vendor Advisory).

Temporary mitigation can be achieved by disabling the streaming agent on affected devices. For TerminAttr, use 'daemon TerminAttr shutdown' command, and for Octa, use 'management api gnmi no provider eos-native'. The permanent fix requires upgrading to remediated software versions: TerminAttr v1.10.11 and later releases in the v1.10.x train, v1.16.8 and later releases in the v1.16.x train, or v1.19.0 and later releases. For EOS versions using Octa, upgrade to 4.24.10 or later in the 4.24.x train, 4.25.8 or later in 4.25.x, 4.26.6 or later in 4.26.x, or 4.27.2 or later in 4.27.x (Vendor Advisory).