CVE-2021-28510: 
NixOS vulnerability analysis and mitigation

A vulnerability identified as CVE-2021-28510 affects certain systems running Arista EOS (Extensible Operating System). The vulnerability was discovered by a customer and involves the Precision Time Protocol (PTP) functionality. When a PTP packet containing a management/signaling message with an invalid Type-Length-Value (TLV) is received, it causes the PTP agent to restart (Arista Advisory).

The vulnerability is classified as CWE-1284 (Improper Validation of Specified Quantity in Input) and CWE-400 (Uncontrolled Resource Consumption). It received a CVSSv3.1 Base Score of 7.5 HIGH from NIST and 5.3 MEDIUM from Arista Networks. The issue affects multiple versions of EOS including releases up to 4.27.1, 4.26.4, 4.25.6, 4.24.8, and 4.23.10 (NVD, Arista Advisory).

When exploited, this vulnerability causes the PTP service to become unavailable through repeated restarts of the PTP agent. This disruption leads to the switch failing to provide PTP time synchronization services to downstream devices, resulting in degraded time maintenance for these devices (Arista Advisory).

Immediate mitigation can be achieved by installing ACL rules to drop PTP packets from untrusted sources. The permanent resolution involves upgrading to remediated software versions: 4.27.2+, 4.26.5+, 4.25.7+, 4.24.9+, or 4.23.11+. For version 4.23.10, a specific hotfix is available. Best practice recommendations include blocking access to untrusted (non-management) networks (Arista Advisory).