CVE-2021-28504 in Strata
Summary
by MITRE • 04/02/2022
On Arista Strata family products which have “TCAM profile” feature enabled when Port IPv4 access-list has a rule which matches on “vxlan” as protocol then that rule and subsequent rules ( rules declared after it in ACL ) do not match on IP protocol field as expected.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/05/2022
The vulnerability identified as CVE-2021-28504 affects Arista Strata family network switches where the TCAM profile feature is enabled. This issue specifically manifests when IPv4 access control lists contain rules that match on the vxlan protocol. The flaw represents a significant deviation from expected network security behavior where the access control list processing fails to properly evaluate IP protocol fields for subsequent rules. The vulnerability impacts network devices that utilize TCAM (Ternary Content Addressable Memory) for fast packet matching, which is a critical component in high-performance network switching environments. When the vxlan protocol is specified in an access list rule, the system exhibits incorrect behavior in how it processes subsequent rules within the same access control list.
The technical root cause of this vulnerability stems from improper state management within the packet processing pipeline of Arista switches. When a rule matches on vxlan protocol, the system's internal state machine becomes inconsistent, causing subsequent rules to bypass normal IP protocol field evaluation mechanisms. This behavior violates fundamental network security principles where access control lists should process rules sequentially and predictably. The issue manifests as a failure in the ACL evaluation engine to correctly reset or maintain proper protocol field context after processing vxlan-specific rules, leading to potential security policy bypasses. This vulnerability directly relates to CWE-129 and CWE-131 which address issues with input validation and improper handling of buffer sizes, though the specific manifestation is more related to state management in network packet processing.
The operational impact of this vulnerability is substantial for organizations relying on Arista network infrastructure for security policy enforcement. Network administrators may experience unexpected traffic flows where packets that should be denied by subsequent ACL rules are allowed through the network. This creates potential attack vectors where malicious traffic can bypass intended security controls, particularly in environments where VXLAN tunnels are used for network virtualization or overlay networks. The vulnerability affects network segmentation and access control policies, potentially allowing unauthorized access to network resources that should be protected by ACL rules. Organizations using VXLAN for software-defined networking or network virtualization may face reduced security posture due to this flaw.
Mitigation strategies for CVE-2021-28504 should prioritize immediate patch deployment from Arista as the primary solution. Network administrators should review their current ACL configurations to identify any rules that contain vxlan protocol matches and assess potential impacts on subsequent rules. Temporary workarounds may include restructuring ACLs to avoid placing vxlan rules followed by IP protocol rules, or implementing additional security controls outside of the affected device. The vulnerability demonstrates the importance of comprehensive testing for network security features, particularly in high-performance switching environments where hardware acceleration and specialized memory structures like TCAM can introduce complex state management issues. Organizations should also consider implementing network monitoring to detect anomalous traffic patterns that might indicate exploitation of this vulnerability, aligning with ATT&CK technique T1071.004 for application layer protocol usage.