CVE-2021-28511: 
NixOS vulnerability analysis and mitigation

CVE-2021-28511 is a security vulnerability discovered in Arista EOS that enables security ACL bypass. The vulnerability was internally discovered and disclosed in July 2022. The issue affects multiple versions of Arista EOS software including versions up to 4.24.9, 4.25.8, 4.26.5, and 4.27.3, impacting specific hardware platforms including 720XP series, 7050X3 series, and 7300X3 series (Arista Advisory).

The vulnerability allows bypass of security ACL drop rules when a NAT ACL rule filter with permit action matches the packet flow. This occurs when there is an overlap between a security 'drop' ACL and the IP range of a dynamic NAT 'permit' ACL. The vulnerability has been assigned a CVSSv3.1 Base Score of 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N) and is categorized under CWE-284 (Improper Access Control) (Arista Advisory).

When exploited, this vulnerability could allow a host with an IP address in a range that matches the range allowed by a NAT ACL and a range denied by a Security ACL to be forwarded incorrectly, instead of being denied by the Security ACL. This effectively enables unauthorized network access by bypassing intended security controls (Arista Advisory).

As a temporary mitigation, administrators can configure a NAT 'drop' ACL rule for each security ACL 'drop' rule that should be applied to the interface with NAT configured. The permanent fix requires upgrading to remediated software versions: 4.24.10 or later (4.24.x train), 4.25.9 or later (4.25.x train), 4.26.6 or later (4.26.x train), 4.27.4 or later (4.27.x train), or 4.28.0 or later (4.28.x train) (Arista Advisory).