github - ghsa-gpmf-hwm2-x2mq

GHSA-GPMF-HWM2-X2MQ

Vulnerability from github – Published: 2025-05-08 00:31 – Updated: 2025-05-08 00:31

Details

On affected platforms running Arista EOS with a gNMI transport enabled, running the gNOI File TransferToRemote RPC with credentials for a remote server may cause these remote-server credentials to be logged or accounted on the local EOS device or possibly on other remote accounting servers (i.e. TACACS, RADIUS, etc).

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-0936"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-07T23:15:53Z",
    "severity": "MODERATE"
  },
  "details": "On affected platforms running Arista EOS with a gNMI transport enabled, running the gNOI File TransferToRemote RPC with credentials for a remote server may cause these remote-server credentials to be logged or accounted on the local EOS device or possibly on other remote accounting servers (i.e. TACACS, RADIUS, etc).",
  "id": "GHSA-gpmf-hwm2-x2mq",
  "modified": "2025-05-08T00:31:12Z",
  "published": "2025-05-08T00:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0936"
    },
    {
      "type": "WEB",
      "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/21394-security-advisory-0117"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2025-0936 (GCVE-0-2025-0936)

Vulnerability from cvelistv5 – Published: 2025-05-07 22:52 – Updated: 2025-05-08 13:02

Summary

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-256

Assigner

Arista

References

URL

Tags

https://www.arista.com/en/support/advisories-noti…

Impacted products

	Vendor	Product	Version
	Arista Networks	EOS	Affected: 4.33.0 , ≤ 4.33.1 (custom) Affected: 4.32.0 , ≤ 4.32.3M (custom) Affected: 4.31.0 , ≤ 4.31.5M (custom) Affected: 4.30.1F , ≤ 4.30.9M (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-0936",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-08T13:01:59.603974Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-08T13:02:27.046Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/21394-security-advisory-0117"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "EOS",
          "vendor": "Arista Networks",
          "versions": [
            {
              "lessThanOrEqual": "4.33.1",
              "status": "affected",
              "version": "4.33.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.32.3M",
              "status": "affected",
              "version": "4.32.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.31.5M",
              "status": "affected",
              "version": "4.31.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.30.9M",
              "status": "affected",
              "version": "4.30.1F",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIn order to be vulnerable to CVE-2025-0936, one or both of the following conditions must be met:\u003c/p\u003e\u003cul\u003e\u003cli\u003eOpenConfig must be enabled with a gNOI server with accounting enabled \u003c/li\u003e\u003cli\u003eOpenConfig must be enabled with a gNOI server with tracing enabled which includes any of:\u003cbr\u003e\u003cul\u003e\u003cli\u003eservice/9\u003c/li\u003e\u003cli\u003einterceptor/9 \u003c/li\u003e\u003cli\u003etransport_socketcli/9 \u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf OpenConfig is enabled with a gNOI server with accounting enabled, this will be shown in the following CLI output:\u003c/p\u003e\u003cpre\u003eswitch(config)#show management api gnmi\nTransport: default\nEnabled: \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eyes\u003c/span\u003e\nServer: running on port 6030, in default VRF\nSSL profile: none\nQoS DSCP: none\nAuthorization required: no\nAccounting requests: \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eyes\u003c/span\u003e\nNotification timestamp: last change time\nListen addresses: ::\nAuthentication username priority: x509-spiffe, metadata, x509-common-name\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIf OpenConfig is not configured or OpenConfig is configured with no gNOI server, then there is no exposure to this issue and the message will look like.\u003c/p\u003e\u003cpre\u003eswitch(config)#show management api gnmi\nEnabled: \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eno transports enabled\u003c/span\u003e\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eTo see the tracing enabled for OpenConfig, run:\u003c/p\u003e\u003cpre\u003eswitch(config)#show running-config section trace | grep OpenConfig\ntrace OpenConfig setting \u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eservice/9,interceptor/9,transport_socketcli/9\u003c/span\u003e\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eNote: gRPC-based streaming via TerminAttr to CloudVision is not affected by this vulnerability.\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "In order to be vulnerable to CVE-2025-0936, one or both of the following conditions must be met:\n\n  *  OpenConfig must be enabled with a gNOI server with accounting enabled \n  *  OpenConfig must be enabled with a gNOI server with tracing enabled which includes any of:\n  *  service/9\n  *  interceptor/9 \n  *  transport_socketcli/9 \n\n\n\n\n\nIf OpenConfig is enabled with a gNOI server with accounting enabled, this will be shown in the following CLI output:\n\nswitch(config)#show management api gnmi\nTransport: default\nEnabled: yes\nServer: running on port 6030, in default VRF\nSSL profile: none\nQoS DSCP: none\nAuthorization required: no\nAccounting requests: yes\nNotification timestamp: last change time\nListen addresses: ::\nAuthentication username priority: x509-spiffe, metadata, x509-common-name\n\n\n\u00a0\n\nIf OpenConfig is not configured or OpenConfig is configured with no gNOI server, then there is no exposure to this issue and the message will look like.\n\nswitch(config)#show management api gnmi\nEnabled: no transports enabled\n\n\n\u00a0\n\nTo see the tracing enabled for OpenConfig, run:\n\nswitch(config)#show running-config section trace | grep OpenConfig\ntrace OpenConfig setting service/9,interceptor/9,transport_socketcli/9\n\n\n\u00a0\n\nNote: gRPC-based streaming via TerminAttr to CloudVision is not affected by this vulnerability."
        }
      ],
      "datePublic": "2025-05-06T15:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOn affected platforms running Arista EOS with a gNMI transport enabled, running the gNOI File TransferToRemote RPC with credentials for a remote server may cause these remote-server credentials to be logged or accounted on the local EOS device or possibly on other remote accounting servers (i.e. TACACS, RADIUS, etc).\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "On affected platforms running Arista EOS with a gNMI transport enabled, running the gNOI File TransferToRemote RPC with credentials for a remote server may cause these remote-server credentials to be logged or accounted on the local EOS device or possibly on other remote accounting servers (i.e. TACACS, RADIUS, etc)."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-37",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-256",
              "description": "CWE-256",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-07T22:52:25.444Z",
        "orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
        "shortName": "Arista"
      },
      "references": [
        {
          "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/21394-security-advisory-0117"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003eCVE-2025-0936 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.30.10M and later releases in the 4.30.x train\u003c/li\u003e\u003cli\u003e4.31.7M and later releases in the 4.31.x train\u003c/li\u003e\u003cli\u003e4.32.5M and later releases in the 4.32.x train\u003c/li\u003e\u003cli\u003e4.33.2F and later releases\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e"
            }
          ],
          "value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see  EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2025-0936 has been fixed in the following releases:\n\n  *  4.30.10M and later releases in the 4.30.x train\n  *  4.31.7M and later releases in the 4.31.x train\n  *  4.32.5M and later releases in the 4.32.x train\n  *  4.33.2F and later releases"
        }
      ],
      "source": {
        "defect": [
          "BUG 1045796"
        ],
        "discovery": "INTERNAL"
      },
      "title": "On affected platforms running Arista EOS with a gNMI transport enabled, running the gNOI File TransferToRemote RPC with credentials for a remote server may cause these remote-server credentials to be logged or accounted on the local EOS device or possibly",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThere are a number of possible workarounds:\u003c/p\u003e\u003ch4\u003eOption 1 - disable accounting/logging for the OpenConfig transport\u003c/h4\u003e\u003cp\u003eFor example to disable accounting for transport named \u201cdefault\u201d:\u003c/p\u003e\u003cpre\u003eswitch(config)#management api gnmi\nswitch(config-mgmt-api-gnmi)#transport grpc default\nswitch(config-gnmi-transport-default)#\u003cspan style=\"background-color: rgb(255, 255, 0);\"\u003eno accounting requests\u003c/span\u003e\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eto disable logging for the OpenConfig agent, run:\u003c/p\u003e\u003cpre\u003eswitch(config)#no trace OpenConfig setting\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003ch4\u003eOption 2 - disable the gNOI File service entirely\u003c/h4\u003e\u003cp\u003eTo disable the gNOI File service, override the OCGNOIFileToggle, then restart OpenConfig to load the changes\u003c/p\u003e\u003cpre\u003eswitch#bash timeout 100 echo \"OCGNOIFileToggle=0\" \u0026gt;\u0026gt; /mnt/flash/toggle_override\nswitch#agent OpenConfig terminate \n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eDisabling the gNOI File service will mean that gNOI clients will no longer be able to call any gNOI File RPCs\u003c/p\u003e\u003ch4\u003eOption 3 - block the TransferToRemote RPC using gNSI Authz\u003c/h4\u003e\u003cp\u003eFor releases with gNSI Authz (EOS 4.31.0F and later releases), the TransferToRemote RPC can be blocked using gNSI Authz.\u003c/p\u003e\u003cp\u003eFirst enable gNSI Authz service by adding the following config:\u003c/p\u003e\u003cpre\u003eswitch(config)#management api gnsi\nswitch(config-mgmt-api-gnsi)#service authz\n\u003c/pre\u003e\u003cp\u003eWhere [NAME] is the name of the running gNMI transport\u003c/p\u003e\u003cp\u003eAdding this config will cause the named gNMI transport to reload.\u003c/p\u003e\u003cp\u003eNext update the authz policy to block access to the TransferToRemote RPC. This can be done directly on the system by updating the Authz policy file and waiting at least 10 seconds for OpenConfig to reload the changes:\u003c/p\u003e\u003cpre\u003eswitch#bash timeout 100 echo \"{\\\"name\\\":\\\"block gNOI TransferToRemote policy\\\",\\\"allow_rules\\\":[{\\\"name\\\":\\\"allow_all\\\"}],\\\"deny_rules\\\":[{\\\"name\\\":\\\"no-one-can-use-gnoi-transfer-to-remote\\\",\\\"request\\\":{\\\"paths\\\":[\\\"/gnoi.file.File/TransferToRemote\\\"]}}]}\" | sudo tee /persist/sys/gnsi/authz/policy.json \u0026amp;\u0026amp; sleep 11\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eThis will cause attempts to run the TransferToRemote RPC to fail with a \u201cPermissionDenied\u201d error code.\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "There are a number of possible workarounds:\n\nOption 1 - disable accounting/logging for the OpenConfig transportFor example to disable accounting for transport named \u201cdefault\u201d:\n\nswitch(config)#management api gnmi\nswitch(config-mgmt-api-gnmi)#transport grpc default\nswitch(config-gnmi-transport-default)#no accounting requests\n\n\n\u00a0\n\nto disable logging for the OpenConfig agent, run:\n\nswitch(config)#no trace OpenConfig setting\n\n\n\u00a0\n\nOption 2 - disable the gNOI File service entirelyTo disable the gNOI File service, override the OCGNOIFileToggle, then restart OpenConfig to load the changes\n\nswitch#bash timeout 100 echo \"OCGNOIFileToggle=0\" \u003e\u003e /mnt/flash/toggle_override\nswitch#agent OpenConfig terminate \n\n\n\u00a0\n\nDisabling the gNOI File service will mean that gNOI clients will no longer be able to call any gNOI File RPCs\n\nOption 3 - block the TransferToRemote RPC using gNSI AuthzFor releases with gNSI Authz (EOS 4.31.0F and later releases), the TransferToRemote RPC can be blocked using gNSI Authz.\n\nFirst enable gNSI Authz service by adding the following config:\n\nswitch(config)#management api gnsi\nswitch(config-mgmt-api-gnsi)#service authz\n\n\nWhere [NAME] is the name of the running gNMI transport\n\nAdding this config will cause the named gNMI transport to reload.\n\nNext update the authz policy to block access to the TransferToRemote RPC. This can be done directly on the system by updating the Authz policy file and waiting at least 10 seconds for OpenConfig to reload the changes:\n\nswitch#bash timeout 100 echo \"{\\\"name\\\":\\\"block gNOI TransferToRemote policy\\\",\\\"allow_rules\\\":[{\\\"name\\\":\\\"allow_all\\\"}],\\\"deny_rules\\\":[{\\\"name\\\":\\\"no-one-can-use-gnoi-transfer-to-remote\\\",\\\"request\\\":{\\\"paths\\\":[\\\"/gnoi.file.File/TransferToRemote\\\"]}}]}\" | sudo tee /persist/sys/gnsi/authz/policy.json \u0026\u0026 sleep 11\n\n\n\u00a0\n\nThis will cause attempts to run the TransferToRemote RPC to fail with a \u201cPermissionDenied\u201d error code."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
    "assignerShortName": "Arista",
    "cveId": "CVE-2025-0936",
    "datePublished": "2025-05-07T22:52:25.444Z",
    "dateReserved": "2025-01-31T17:18:43.715Z",
    "dateUpdated": "2025-05-08T13:02:27.046Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-GPMF-HWM2-X2MQ

CVE-2025-0936 (GCVE-0-2025-0936)

Tags

Sightings

Nomenclature