Cleartext transmission of sensitive information in Arista EOS
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-12378 |
| CWE-ID | CWE-319 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Arista Extensible Operating System (EOS) Operating systems & Components / Operating system |
| Vendor | Arista Networks |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Cleartext transmission of sensitive information
EUVDB-ID: #VU109388
Risk: Medium
CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-12378
CWE-ID:
CWE-319 - Cleartext Transmission of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error in Tunnelsec agent. Restarting the Tunnelsec agent will result in packets being sent over the secure Vxlan tunnels in the clear.
MitigationInstall updates from vendor's website.
Vulnerable software versionsArista Extensible Operating System (EOS): before
CPE2.3 External linkshttps://www.arista.com/en/support/advisories-notices/security-advisory/21289-security-advisory-0113
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
