CVE-2024-27891 (GCVE-0-2024-27891)

Vulnerability from cvelistv5 – Published: 2026-06-04 22:08 – Updated: 2026-06-05 18:28
VLAI
Title
On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports.
Summary
On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports. This can cause outgoing packets to incorrectly be allowed or denied.
Severity
6.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-284 - Improper Access Control
Assigner
References
Impacted products
Vendor Product Version
Arista Networks EOS Affected: 4.32.0 , ≤ 4.32.0.1F (custom)
Affected: 4.31.0 , ≤ 4.31.2F (custom)
Affected: 4.30.0 , ≤ 4.30.6M (custom)
Affected: 4.29.0 , ≤ 4.29.7M (custom)
Affected: 4.28.0 , ≤ 4.28.10.1M (custom)
Affected: 4.27.2F , < 4.28.0 (custom)
Create a notification for this product.
Date Public
2024-07-23 16:00
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-27891",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-05T18:28:35.666431Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-05T18:28:50.823Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "722XPM Series"
          ],
          "product": "EOS",
          "vendor": "Arista Networks",
          "versions": [
            {
              "lessThanOrEqual": "4.32.0.1F",
              "status": "affected",
              "version": "4.32.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.31.2F",
              "status": "affected",
              "version": "4.31.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.30.6M",
              "status": "affected",
              "version": "4.30.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.29.7M",
              "status": "affected",
              "version": "4.29.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.28.10.1M",
              "status": "affected",
              "version": "4.28.0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.28.0",
              "status": "affected",
              "version": "4.27.2F",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIn order to be vulnerable to CVE-2024-27891, multiple specific conditions must be met. Both MACsec and egress ACLs must be configured and active on the same interface as the minimum requirements for this issue to be exposed. Please review the following sections to identify if your organization is affected.\u003c/p\u003e\u003col\u003e\u003cli\u003eMACsec must be configured:\u003cbr\u003e\u003cpre\u003eswitch\u0026gt;show mac security status\nAdministrative State: \u0026nbsp; \u0026nbsp; enabled\nActive Profiles:\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 1\nData Delay Protection:\u0026nbsp; \u0026nbsp; no\nEAPoL Destination MAC:\u0026nbsp; \u0026nbsp; 0180.c200.0003\nFIPS Mode:\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; no\nSecured Interfaces: \u0026nbsp; \u0026nbsp; \u0026nbsp; 54\nLicense:\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; enabled\n\u003c/pre\u003e\u003cp\u003e\u003cb\u003eNote:\u003c/b\u003e\u0026nbsp;active profiles is not 0, and number of secured interfaces is not 0\u003c/p\u003e\u003cdiv\u003eIf MACsec is not configured there is no exposure to this issue and the message will include 0 Active Profiles, and 0 Secured Interfaces.\u003c/div\u003e\u003cpre\u003eswitch\u0026gt;show mac security status\nAdministrative State: \u0026nbsp; \u0026nbsp; enabled\nActive Profiles:\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 0\nData Delay Protection:\u0026nbsp; \u0026nbsp; no\nEAPoL Destination MAC:\u0026nbsp; \u0026nbsp; 0180.c200.0003\nFIPS Mode:\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; no\nSecured Interfaces: \u0026nbsp; \u0026nbsp; \u0026nbsp; 0\nLicense:\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; disabled (Hardware license not enabled)\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003c/li\u003e\u003cli\u003eAccess Control Lists (ACLs) must be configured for outbound packets:\u003cbr\u003e\u003cpre\u003eswitch#show running-config | section access-list\nipv6 access-list testIp6Acl\nip access-list testIpAcl\nmac access-list testMacAcl\n \nswitch#show running-config | section access-group\ninterface Ethernet1\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ip access-group testIpAcl out\n\u003c/pre\u003e\u003c/li\u003e\u003c/ol\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "In order to be vulnerable to CVE-2024-27891, multiple specific conditions must be met. Both MACsec and egress ACLs must be configured and active on the same interface as the minimum requirements for this issue to be exposed. Please review the following sections to identify if your organization is affected.\n\n  *  MACsec must be configured:\n\n\nswitch\u003eshow mac security status\nAdministrative State: \u00a0 \u00a0 enabled\nActive Profiles:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 1\nData Delay Protection:\u00a0 \u00a0 no\nEAPoL Destination MAC:\u00a0 \u00a0 0180.c200.0003\nFIPS Mode:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 no\nSecured Interfaces: \u00a0 \u00a0 \u00a0 54\nLicense:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 enabled\n\n\n\n\nNote:\u00a0active profiles is not 0, and number of secured interfaces is not 0\n\nIf MACsec is not configured there is no exposure to this issue and the message will include 0 Active Profiles, and 0 Secured Interfaces.\n\n\n\nswitch\u003eshow mac security status\nAdministrative State: \u00a0 \u00a0 enabled\nActive Profiles:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0\nData Delay Protection:\u00a0 \u00a0 no\nEAPoL Destination MAC:\u00a0 \u00a0 0180.c200.0003\nFIPS Mode:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 no\nSecured Interfaces: \u00a0 \u00a0 \u00a0 0\nLicense:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 disabled (Hardware license not enabled)\n\n\n\u00a0\n\n\n  *  Access Control Lists (ACLs) must be configured for outbound packets:\n\n\nswitch#show running-config | section access-list\nipv6 access-list testIp6Acl\nip access-list testIpAcl\nmac access-list testMacAcl\n \nswitch#show running-config | section access-group\ninterface Ethernet1\n\u00a0\u00a0\u00a0ip access-group testIpAcl out"
        },
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eThe total number of ACLs configured must be any of the following:\u003c/div\u003e\u003col\u003e\u003cli\u003eMore than 3 MAC ACLs, or\u003c/li\u003e\u003cli\u003eMore than 7 IPv4 ACLs, or\u003c/li\u003e\u003cli\u003eMore than 3 IPv6 ACLs\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eIf for each ACL type in use, there are less than the above corresponding number configured there is no exposure to this issue.\u003c/p\u003e\u003cdiv\u003eIf ACLs are not configured for outbound packets there is no exposure to this issue and the message will look like:\u003c/div\u003e\u003cpre\u003e! Notice no output below, indicating no ACLs configured\n! or notice ACLs are applied as \u201cin\u201d only.\nswitch#show running-config | section access-list\nswitch#\nswitch#show running-config | section access-group\ninterface Ethernet1\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ip access-group testIpAcl in\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIf no interfaces which have ACLs configured for outbound packets have MACsec configured, there is no exposure to this issue.\u003c/p\u003e\u003cp\u003eNote that interface types such as Vlan interfaces, or Port-Channel interfaces may have none, one or multiple physical interfaces.\u003c/p\u003e\u003cp\u003eTo check for MACsec configuration, first resolve the access-group configured interfaces to a list of all Ethernet physical interfaces.\u003c/p\u003e\u003cp\u003eIn the example below, there is an ACL applied to Port-Channel1 (Ethernet1, Ethernet5), Vlan613 (Ethernet2, Ethernet4) and Ethernet3. Therefore Ethernet1-5 should be checked to see if MACsec is enabled.\u003c/p\u003e\u003cpre\u003eswitch#show running-config | section access-group\ninterface Port-Channel1\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ipv6 access-group testIp6Acl out\ninterface Ethernet3\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ip access-group testIpAcl in\ninterface Vlan613\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ip access-group testIpAcl out\n \nswitch\u0026gt;show port-channel 1 brief\nPort Channel Port-Channel1:\n\u0026nbsp;\u0026nbsp;Active Ports: Ethernet1 Ethernet5\n \nswitch\u0026gt;show vlan 613\nVLAN\u0026nbsp; Name \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Status\u0026nbsp; \u0026nbsp; Ports\n----- -------------------------------- --------- -------------------------------\n613 \u0026nbsp; VLAN0613 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; active\u0026nbsp; \u0026nbsp; Cpu, Et2, Et4\n \nswitch\u0026gt;show mac security interface Ethernet1-5\nInterface \u0026nbsp; \u0026nbsp; \u0026nbsp; SCI \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Controlled Port\u0026nbsp; \u0026nbsp; \u0026nbsp; Key in Use\nEthernet1 \u0026nbsp; \u0026nbsp; \u0026nbsp; 12:15:35:24:c0:89::24193\u0026nbsp; True \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; static SAK: Tx AN: 2\nEthernet2 \u0026nbsp; \u0026nbsp; \u0026nbsp; 00:00:00:00:00:00::0\u0026nbsp; \u0026nbsp; \u0026nbsp; False\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; None\nEthernet5 \u0026nbsp; \u0026nbsp; \u0026nbsp; 12:15:35:24:c0:89::24193\u0026nbsp; True \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; static SAK: Tx AN: 2\n\u003c/pre\u003e\u003cp\u003eIn the above example Ethernet1 and Ethernet5 have MACsec enabled.\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "The total number of ACLs configured must be any of the following:\n\n  *  More than 3 MAC ACLs, or\n  *  More than 7 IPv4 ACLs, or\n  *  More than 3 IPv6 ACLs\n\n\nIf for each ACL type in use, there are less than the above corresponding number configured there is no exposure to this issue.\n\nIf ACLs are not configured for outbound packets there is no exposure to this issue and the message will look like:\n\n\n\n! Notice no output below, indicating no ACLs configured\n! or notice ACLs are applied as \u201cin\u201d only.\nswitch#show running-config | section access-list\nswitch#\nswitch#show running-config | section access-group\ninterface Ethernet1\n\u00a0\u00a0\u00a0ip access-group testIpAcl in\n\n\n\u00a0\n\n\n\nIf no interfaces which have ACLs configured for outbound packets have MACsec configured, there is no exposure to this issue.\n\n\n\nNote that interface types such as Vlan interfaces, or Port-Channel interfaces may have none, one or multiple physical interfaces.\n\n\n\nTo check for MACsec configuration, first resolve the access-group configured interfaces to a list of all Ethernet physical interfaces.\n\n\n\nIn the example below, there is an ACL applied to Port-Channel1 (Ethernet1, Ethernet5), Vlan613 (Ethernet2, Ethernet4) and Ethernet3. Therefore Ethernet1-5 should be checked to see if MACsec is enabled.\n\n\n\nswitch#show running-config | section access-group\ninterface Port-Channel1\n\u00a0\u00a0\u00a0ipv6 access-group testIp6Acl out\ninterface Ethernet3\n\u00a0\u00a0\u00a0ip access-group testIpAcl in\ninterface Vlan613\n\u00a0\u00a0\u00a0ip access-group testIpAcl out\n \nswitch\u003eshow port-channel 1 brief\nPort Channel Port-Channel1:\n\u00a0\u00a0Active Ports: Ethernet1 Ethernet5\n \nswitch\u003eshow vlan 613\nVLAN\u00a0 Name \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Status\u00a0 \u00a0 Ports\n----- -------------------------------- --------- -------------------------------\n613 \u00a0 VLAN0613 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 active\u00a0 \u00a0 Cpu, Et2, Et4\n \nswitch\u003eshow mac security interface Ethernet1-5\nInterface \u00a0 \u00a0 \u00a0 SCI \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Controlled Port\u00a0 \u00a0 \u00a0 Key in Use\nEthernet1 \u00a0 \u00a0 \u00a0 12:15:35:24:c0:89::24193\u00a0 True \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 static SAK: Tx AN: 2\nEthernet2 \u00a0 \u00a0 \u00a0 00:00:00:00:00:00::0\u00a0 \u00a0 \u00a0 False\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 None\nEthernet5 \u00a0 \u00a0 \u00a0 12:15:35:24:c0:89::24193\u00a0 True \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 static SAK: Tx AN: 2\n\n\n\n\nIn the above example Ethernet1 and Ethernet5 have MACsec enabled."
        },
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIn the example below, there are more than 3 IPv6 ACLs applied for outbound packets. All physical interfaces that are MACsec enabled, and have an IPv6 ACL applied for outbound packets, are exposed to this issue.\u003c/p\u003e\u003cpre\u003eswitch#show running-config | section access-group\ninterface Port-Channel1\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ipv6 access-group testIp6Acl out\ninterface Ethernet3\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ip access-group testIpAcl in\ninterface Ethernet45\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ipv6 access-group testIp6Acl2 out\ninterface Ethernet46\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ipv6 access-group testIp6Acl3 out\ninterface Ethernet47\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ipv6 access-group testIp6Acl4 out\ninterface Vlan613\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ip access-group testIpAcl out\n \nswitch\u0026gt;show port-channel 1 brief\nPort Channel Port-Channel1:\n\u0026nbsp;\u0026nbsp;Active Ports: Ethernet1 Ethernet5\n \nswitch\u0026gt;show vlan 613\nVLAN\u0026nbsp; Name \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Status\u0026nbsp; \u0026nbsp; Ports\n----- -------------------------------- --------- -------------------------------\n613 \u0026nbsp; VLAN0613 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; active\u0026nbsp; \u0026nbsp; Cpu, Et2, Et4\n \nswitch\u0026gt;show mac security interface Ethernet1-$ | grep True\nEthernet1 \u0026nbsp; \u0026nbsp; \u0026nbsp; 12:15:35:24:c0:89::24193\u0026nbsp; True \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; static SAK: Tx AN: 2\nEthernet2 \u0026nbsp; \u0026nbsp; \u0026nbsp; 12:15:35:24:c0:89::24193\u0026nbsp; True \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; static SAK: Tx AN: 2\nEthernet5 \u0026nbsp; \u0026nbsp; \u0026nbsp; 12:15:35:24:c0:89::24193\u0026nbsp; True \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; static SAK: Tx AN: 2\nEthernet45  \u0026nbsp; \u0026nbsp; 12:15:35:24:c0:89::24193\u0026nbsp; True\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp;  \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; static SAK: Tx AN: 2\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cb\u003eInterface\u003c/b\u003e\u003c/th\u003e\u003cth\u003e\u003cb\u003e\u201cOut\u201d ACL\u003c/b\u003e\u003c/th\u003e\u003cth\u003e\u003cb\u003eMinimum ACL count met\u003c/b\u003e\u003c/th\u003e\u003cth\u003e\u003cb\u003eMACsec enabled\u003c/b\u003e\u003c/th\u003e\u003cth\u003e\u003cb\u003eAffected\u003c/b\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eEt1\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEt2\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eNo (only one IPv4 ACL)\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEt3\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003ctd\u003eNo (only one IPv4 ACL)\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEt4\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eNo (only one IPv4 ACL)\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEt5\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEt45\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEt46\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEt47\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eIn the above example and table:\u003c/div\u003e\u003cul\u003e\u003cli\u003eEthernet46 and Ethernet47 are not exposed to this issue, because they are not MACsec enabled.\u003c/li\u003e\u003cli\u003eEthernet2, Ethernet3, and Ethernet4 are not exposed to this issue because there is only one IPv4 ACL group, which is less than the required number to be exposed for that ACL type.\u003c/li\u003e\u003cli\u003eEthernet3 is also not affected because the ACL is for incoming packets.\u003c/li\u003e\u003cli\u003eEthernet1, Ethernet5, and Ethernet45 are affected by this issue because they meet the conditions required.\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "In the example below, there are more than 3 IPv6 ACLs applied for outbound packets. All physical interfaces that are MACsec enabled, and have an IPv6 ACL applied for outbound packets, are exposed to this issue.\n\n\n\nswitch#show running-config | section access-group\ninterface Port-Channel1\n\u00a0\u00a0\u00a0ipv6 access-group testIp6Acl out\ninterface Ethernet3\n\u00a0\u00a0\u00a0ip access-group testIpAcl in\ninterface Ethernet45\n\u00a0\u00a0\u00a0ipv6 access-group testIp6Acl2 out\ninterface Ethernet46\n\u00a0\u00a0\u00a0ipv6 access-group testIp6Acl3 out\ninterface Ethernet47\n\u00a0\u00a0\u00a0ipv6 access-group testIp6Acl4 out\ninterface Vlan613\n\u00a0\u00a0\u00a0ip access-group testIpAcl out\n \nswitch\u003eshow port-channel 1 brief\nPort Channel Port-Channel1:\n\u00a0\u00a0Active Ports: Ethernet1 Ethernet5\n \nswitch\u003eshow vlan 613\nVLAN\u00a0 Name \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Status\u00a0 \u00a0 Ports\n----- -------------------------------- --------- -------------------------------\n613 \u00a0 VLAN0613 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 active\u00a0 \u00a0 Cpu, Et2, Et4\n \nswitch\u003eshow mac security interface Ethernet1-$ | grep True\nEthernet1 \u00a0 \u00a0 \u00a0 12:15:35:24:c0:89::24193\u00a0 True \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 static SAK: Tx AN: 2\nEthernet2 \u00a0 \u00a0 \u00a0 12:15:35:24:c0:89::24193\u00a0 True \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 static SAK: Tx AN: 2\nEthernet5 \u00a0 \u00a0 \u00a0 12:15:35:24:c0:89::24193\u00a0 True \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 static SAK: Tx AN: 2\nEthernet45  \u00a0 \u00a0 12:15:35:24:c0:89::24193\u00a0 True\u00a0 \u00a0 \u00a0 \u00a0  \u00a0 \u00a0 \u00a0 \u00a0 static SAK: Tx AN: 2\n\n\n\u00a0\n\nInterface\u201cOut\u201d ACLMinimum ACL count metMACsec enabledAffectedEt1YesYesYesYesEt2YesNo (only one IPv4 ACL)YesNoEt3NoNo (only one IPv4 ACL)NoNoEt4YesNo (only one IPv4 ACL)NoNoEt5YesYesYesYesEt45YesYesYesYesEt46YesYesNoNoEt47YesYesNoNo\n\n\u00a0\n\nIn the above example and table:\n\n  *  Ethernet46 and Ethernet47 are not exposed to this issue, because they are not MACsec enabled.\n  *  Ethernet2, Ethernet3, and Ethernet4 are not exposed to this issue because there is only one IPv4 ACL group, which is less than the required number to be exposed for that ACL type.\n  *  Ethernet3 is also not affected because the ACL is for incoming packets.\n  *  Ethernet1, Ethernet5, and Ethernet45 are affected by this issue because they meet the conditions required."
        }
      ],
      "datePublic": "2024-07-23T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan\u003eOn affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports. This can cause outgoing packets to incorrectly be allowed or denied.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports. This can cause outgoing packets to incorrectly be allowed or denied."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-04T22:08:42.522Z",
        "orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
        "shortName": "Arista"
      },
      "references": [
        {
          "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/19908-security-advisory-0102"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\u003cbr\u003eFor more information about upgrading see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003eCVE-2024-27891 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.32.1F and later releases in the 4.32.x train\u003c/li\u003e\u003cli\u003e4.31.3M and later releases in the 4.31.x train\u003c/li\u003e\u003cli\u003e4.30.7M and later releases in the 4.30.x train\u003c/li\u003e\u003cli\u003e4.29.8M and later releases in the 4.29.x train\u003c/li\u003e\u003cli\u003e4.28.11M and later releases in the 4.28.x train\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\nFor more information about upgrading see  EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2024-27891 has been fixed in the following releases:\n\n  * 4.32.1F and later releases in the 4.32.x train \n  * 4.31.3M and later releases in the 4.31.x train\n  * 4.30.7M and later releases in the 4.30.x train\n  * 4.29.8M and later releases in the 4.29.x train\n  * 4.28.11M and later releases in the 4.28.x train"
        }
      ],
      "source": {
        "advisory": "102",
        "defect": [
          "BUG 906098"
        ],
        "discovery": "INTERNAL"
      },
      "title": "On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports.",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe workaround is to disable MACsec on interfaces with outbound packet ACLs, or to use inbound packet ACLs where possible. Note that ingress ACLs might need to be applied to a different set of interfaces or to other devices in the network.\u003c/p\u003e\u003cpre\u003eswitch#configure\u003cbr\u003eswitch(config)#interface Ethernet1\nswitch(config-if-Et1)#no mac security profile\n \n! or remove/replace the `out` ACL\n! Note that you may wish to apply `in` ACLs to a different set of\n! interfaces than `out` ACLs were applied to.\n \nswitch#configure\u003cbr\u003eswitch(config)#interface Ethernet1\nswitch(config-if-Et1)#mac access-group \u0026lt;ACL name\u0026gt; in\nswitch(config-if-Et1)#ip access-group \u0026lt;ACL name\u0026gt; in\nswitch(config-if-Et1)#ipv6 access-group \u0026lt;ACL name\u0026gt; in\nswitch(config-if-Et1)#no mac access-group out\nswitch(config-if-Et1)#no ip access-group out\nswitch(config-if-Et1)#no ipv6 access-group out\n\u003c/pre\u003e\u003cp\u003eFor more information about ACLs see\u0026nbsp;\u003ca href=\"https://www.arista.com/en/um-eos/eos-acls-and-route-maps\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eEOS User Manual: ACLs and Route Maps\u003c/a\u003e.\u003c/p\u003e"
            }
          ],
          "value": "The workaround is to disable MACsec on interfaces with outbound packet ACLs, or to use inbound packet ACLs where possible. Note that ingress ACLs might need to be applied to a different set of interfaces or to other devices in the network.\n\n\n\nswitch#configure\nswitch(config)#interface Ethernet1\nswitch(config-if-Et1)#no mac security profile\n \n! or remove/replace the `out` ACL\n! Note that you may wish to apply `in` ACLs to a different set of\n! interfaces than `out` ACLs were applied to.\n \nswitch#configure\nswitch(config)#interface Ethernet1\nswitch(config-if-Et1)#mac access-group \u003cACL name\u003e in\nswitch(config-if-Et1)#ip access-group \u003cACL name\u003e in\nswitch(config-if-Et1)#ipv6 access-group \u003cACL name\u003e in\nswitch(config-if-Et1)#no mac access-group out\nswitch(config-if-Et1)#no ip access-group out\nswitch(config-if-Et1)#no ipv6 access-group out\n\n\n\n\nFor more information about ACLs see\u00a0 EOS User Manual: ACLs and Route Maps https://www.arista.com/en/um-eos/eos-acls-and-route-maps ."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
    "assignerShortName": "Arista",
    "cveId": "CVE-2024-27891",
    "datePublished": "2026-06-04T22:08:42.522Z",
    "dateReserved": "2024-02-26T18:06:32.161Z",
    "dateUpdated": "2026-06-05T18:28:50.823Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-27891",
      "date": "2026-06-07",
      "epss": "0.00125",
      "percentile": "0.31202"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-27891\",\"sourceIdentifier\":\"psirt@arista.com\",\"published\":\"2026-06-04T23:16:47.777\",\"lastModified\":\"2026-06-05T15:02:34.977\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports. This can cause outgoing packets to incorrectly be allowed or denied.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"psirt@arista.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"psirt@arista.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"psirt@arista.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"references\":[{\"url\":\"https://www.arista.com/en/support/advisories-notices/security-advisory/19908-security-advisory-0102\",\"source\":\"psirt@arista.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7\", \"shortName\": \"Arista\", \"dateUpdated\": \"2026-06-04T22:08:42.522Z\"}, \"title\": \"On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports.\", \"datePublic\": \"2024-07-23T16:00:00.000Z\", \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284 Improper Access Control\", \"type\": \"CWE\"}]}], \"impacts\": [{\"capecId\": \"CAPEC-180\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels\"}]}], \"affected\": [{\"vendor\": \"Arista Networks\", \"product\": \"EOS\", \"platforms\": [\"722XPM Series\"], \"versions\": [{\"status\": \"affected\", \"version\": \"4.32.0\", \"lessThanOrEqual\": \"4.32.0.1F\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.31.0\", \"lessThanOrEqual\": \"4.31.2F\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.30.0\", \"lessThanOrEqual\": \"4.30.6M\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.29.0\", \"lessThanOrEqual\": \"4.29.7M\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.28.0\", \"lessThanOrEqual\": \"4.28.10.1M\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.27.2F\", \"lessThan\": \"4.28.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports. This can cause outgoing packets to incorrectly be allowed or denied.\", \"supportingMedia\": [{\"type\": \"text/html\", \"base64\": false, \"value\": \"\u003cspan\u003eOn affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports. This can cause outgoing packets to incorrectly be allowed or denied.\u003c/span\u003e\u003cbr\u003e\"}]}], \"references\": [{\"url\": \"https://www.arista.com/en/support/advisories-notices/security-advisory/19908-security-advisory-0102\"}], \"configurations\": [{\"lang\": \"en\", \"value\": \"In order to be vulnerable to CVE-2024-27891, multiple specific conditions must be met. Both MACsec and egress ACLs must be configured and active on the same interface as the minimum requirements for this issue to be exposed. Please review the following sections to identify if your organization is affected.\\n\\n  *  MACsec must be configured:\\n\\n\\nswitch\u003eshow mac security status\\nAdministrative State: \\u00a0 \\u00a0 enabled\\nActive Profiles:\\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 1\\nData Delay Protection:\\u00a0 \\u00a0 no\\nEAPoL Destination MAC:\\u00a0 \\u00a0 0180.c200.0003\\nFIPS Mode:\\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 no\\nSecured Interfaces: \\u00a0 \\u00a0 \\u00a0 54\\nLicense:\\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 enabled\\n\\n\\n\\n\\nNote:\\u00a0active profiles is not 0, and number of secured interfaces is not 0\\n\\nIf MACsec is not configured there is no exposure to this issue and the message will include 0 Active Profiles, and 0 Secured Interfaces.\\n\\n\\n\\nswitch\u003eshow mac security status\\nAdministrative State: \\u00a0 \\u00a0 enabled\\nActive Profiles:\\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 0\\nData Delay Protection:\\u00a0 \\u00a0 no\\nEAPoL Destination MAC:\\u00a0 \\u00a0 0180.c200.0003\\nFIPS Mode:\\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 no\\nSecured Interfaces: \\u00a0 \\u00a0 \\u00a0 0\\nLicense:\\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 disabled (Hardware license not enabled)\\n\\n\\n\\u00a0\\n\\n\\n  *  Access Control Lists (ACLs) must be configured for outbound packets:\\n\\n\\nswitch#show running-config | section access-list\\nipv6 access-list testIp6Acl\\nip access-list testIpAcl\\nmac access-list testMacAcl\\n \\nswitch#show running-config | section access-group\\ninterface Ethernet1\\n\\u00a0\\u00a0\\u00a0ip access-group testIpAcl out\", \"supportingMedia\": [{\"type\": \"text/html\", \"base64\": false, \"value\": \"\u003cp\u003eIn order to be vulnerable to CVE-2024-27891, multiple specific conditions must be met. Both MACsec and egress ACLs must be configured and active on the same interface as the minimum requirements for this issue to be exposed. Please review the following sections to identify if your organization is affected.\u003c/p\u003e\u003col\u003e\u003cli\u003eMACsec must be configured:\u003cbr\u003e\u003cpre\u003eswitch\u0026gt;show mac security status\\nAdministrative State: \u0026nbsp; \u0026nbsp; enabled\\nActive Profiles:\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 1\\nData Delay Protection:\u0026nbsp; \u0026nbsp; no\\nEAPoL Destination MAC:\u0026nbsp; \u0026nbsp; 0180.c200.0003\\nFIPS Mode:\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; no\\nSecured Interfaces: \u0026nbsp; \u0026nbsp; \u0026nbsp; 54\\nLicense:\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; enabled\\n\u003c/pre\u003e\u003cp\u003e\u003cb\u003eNote:\u003c/b\u003e\u0026nbsp;active profiles is not 0, and number of secured interfaces is not 0\u003c/p\u003e\u003cdiv\u003eIf MACsec is not configured there is no exposure to this issue and the message will include 0 Active Profiles, and 0 Secured Interfaces.\u003c/div\u003e\u003cpre\u003eswitch\u0026gt;show mac security status\\nAdministrative State: \u0026nbsp; \u0026nbsp; enabled\\nActive Profiles:\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; 0\\nData Delay Protection:\u0026nbsp; \u0026nbsp; no\\nEAPoL Destination MAC:\u0026nbsp; \u0026nbsp; 0180.c200.0003\\nFIPS Mode:\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; no\\nSecured Interfaces: \u0026nbsp; \u0026nbsp; \u0026nbsp; 0\\nLicense:\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; disabled (Hardware license not enabled)\\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003c/li\u003e\u003cli\u003eAccess Control Lists (ACLs) must be configured for outbound packets:\u003cbr\u003e\u003cpre\u003eswitch#show running-config | section access-list\\nipv6 access-list testIp6Acl\\nip access-list testIpAcl\\nmac access-list testMacAcl\\n \\nswitch#show running-config | section access-group\\ninterface Ethernet1\\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ip access-group testIpAcl out\\n\u003c/pre\u003e\u003c/li\u003e\u003c/ol\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\"}]}, {\"lang\": \"en\", \"value\": \"The total number of ACLs configured must be any of the following:\\n\\n  *  More than 3 MAC ACLs, or\\n  *  More than 7 IPv4 ACLs, or\\n  *  More than 3 IPv6 ACLs\\n\\n\\nIf for each ACL type in use, there are less than the above corresponding number configured there is no exposure to this issue.\\n\\nIf ACLs are not configured for outbound packets there is no exposure to this issue and the message will look like:\\n\\n\\n\\n! Notice no output below, indicating no ACLs configured\\n! or notice ACLs are applied as \\u201cin\\u201d only.\\nswitch#show running-config | section access-list\\nswitch#\\nswitch#show running-config | section access-group\\ninterface Ethernet1\\n\\u00a0\\u00a0\\u00a0ip access-group testIpAcl in\\n\\n\\n\\u00a0\\n\\n\\n\\nIf no interfaces which have ACLs configured for outbound packets have MACsec configured, there is no exposure to this issue.\\n\\n\\n\\nNote that interface types such as Vlan interfaces, or Port-Channel interfaces may have none, one or multiple physical interfaces.\\n\\n\\n\\nTo check for MACsec configuration, first resolve the access-group configured interfaces to a list of all Ethernet physical interfaces.\\n\\n\\n\\nIn the example below, there is an ACL applied to Port-Channel1 (Ethernet1, Ethernet5), Vlan613 (Ethernet2, Ethernet4) and Ethernet3. Therefore Ethernet1-5 should be checked to see if MACsec is enabled.\\n\\n\\n\\nswitch#show running-config | section access-group\\ninterface Port-Channel1\\n\\u00a0\\u00a0\\u00a0ipv6 access-group testIp6Acl out\\ninterface Ethernet3\\n\\u00a0\\u00a0\\u00a0ip access-group testIpAcl in\\ninterface Vlan613\\n\\u00a0\\u00a0\\u00a0ip access-group testIpAcl out\\n \\nswitch\u003eshow port-channel 1 brief\\nPort Channel Port-Channel1:\\n\\u00a0\\u00a0Active Ports: Ethernet1 Ethernet5\\n \\nswitch\u003eshow vlan 613\\nVLAN\\u00a0 Name \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 Status\\u00a0 \\u00a0 Ports\\n----- -------------------------------- --------- -------------------------------\\n613 \\u00a0 VLAN0613 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 active\\u00a0 \\u00a0 Cpu, Et2, Et4\\n \\nswitch\u003eshow mac security interface Ethernet1-5\\nInterface \\u00a0 \\u00a0 \\u00a0 SCI \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 Controlled Port\\u00a0 \\u00a0 \\u00a0 Key in Use\\nEthernet1 \\u00a0 \\u00a0 \\u00a0 12:15:35:24:c0:89::24193\\u00a0 True \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 static SAK: Tx AN: 2\\nEthernet2 \\u00a0 \\u00a0 \\u00a0 00:00:00:00:00:00::0\\u00a0 \\u00a0 \\u00a0 False\\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 None\\nEthernet5 \\u00a0 \\u00a0 \\u00a0 12:15:35:24:c0:89::24193\\u00a0 True \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 static SAK: Tx AN: 2\\n\\n\\n\\n\\nIn the above example Ethernet1 and Ethernet5 have MACsec enabled.\", \"supportingMedia\": [{\"type\": \"text/html\", \"base64\": false, \"value\": \"\u003cdiv\u003eThe total number of ACLs configured must be any of the following:\u003c/div\u003e\u003col\u003e\u003cli\u003eMore than 3 MAC ACLs, or\u003c/li\u003e\u003cli\u003eMore than 7 IPv4 ACLs, or\u003c/li\u003e\u003cli\u003eMore than 3 IPv6 ACLs\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eIf for each ACL type in use, there are less than the above corresponding number configured there is no exposure to this issue.\u003c/p\u003e\u003cdiv\u003eIf ACLs are not configured for outbound packets there is no exposure to this issue and the message will look like:\u003c/div\u003e\u003cpre\u003e! Notice no output below, indicating no ACLs configured\\n! or notice ACLs are applied as \\u201cin\\u201d only.\\nswitch#show running-config | section access-list\\nswitch#\\nswitch#show running-config | section access-group\\ninterface Ethernet1\\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ip access-group testIpAcl in\\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cp\u003eIf no interfaces which have ACLs configured for outbound packets have MACsec configured, there is no exposure to this issue.\u003c/p\u003e\u003cp\u003eNote that interface types such as Vlan interfaces, or Port-Channel interfaces may have none, one or multiple physical interfaces.\u003c/p\u003e\u003cp\u003eTo check for MACsec configuration, first resolve the access-group configured interfaces to a list of all Ethernet physical interfaces.\u003c/p\u003e\u003cp\u003eIn the example below, there is an ACL applied to Port-Channel1 (Ethernet1, Ethernet5), Vlan613 (Ethernet2, Ethernet4) and Ethernet3. Therefore Ethernet1-5 should be checked to see if MACsec is enabled.\u003c/p\u003e\u003cpre\u003eswitch#show running-config | section access-group\\ninterface Port-Channel1\\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ipv6 access-group testIp6Acl out\\ninterface Ethernet3\\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ip access-group testIpAcl in\\ninterface Vlan613\\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ip access-group testIpAcl out\\n \\nswitch\u0026gt;show port-channel 1 brief\\nPort Channel Port-Channel1:\\n\u0026nbsp;\u0026nbsp;Active Ports: Ethernet1 Ethernet5\\n \\nswitch\u0026gt;show vlan 613\\nVLAN\u0026nbsp; Name \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Status\u0026nbsp; \u0026nbsp; Ports\\n----- -------------------------------- --------- -------------------------------\\n613 \u0026nbsp; VLAN0613 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; active\u0026nbsp; \u0026nbsp; Cpu, Et2, Et4\\n \\nswitch\u0026gt;show mac security interface Ethernet1-5\\nInterface \u0026nbsp; \u0026nbsp; \u0026nbsp; SCI \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Controlled Port\u0026nbsp; \u0026nbsp; \u0026nbsp; Key in Use\\nEthernet1 \u0026nbsp; \u0026nbsp; \u0026nbsp; 12:15:35:24:c0:89::24193\u0026nbsp; True \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; static SAK: Tx AN: 2\\nEthernet2 \u0026nbsp; \u0026nbsp; \u0026nbsp; 00:00:00:00:00:00::0\u0026nbsp; \u0026nbsp; \u0026nbsp; False\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; None\\nEthernet5 \u0026nbsp; \u0026nbsp; \u0026nbsp; 12:15:35:24:c0:89::24193\u0026nbsp; True \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; static SAK: Tx AN: 2\\n\u003c/pre\u003e\u003cp\u003eIn the above example Ethernet1 and Ethernet5 have MACsec enabled.\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\"}]}, {\"lang\": \"en\", \"value\": \"In the example below, there are more than 3 IPv6 ACLs applied for outbound packets. All physical interfaces that are MACsec enabled, and have an IPv6 ACL applied for outbound packets, are exposed to this issue.\\n\\n\\n\\nswitch#show running-config | section access-group\\ninterface Port-Channel1\\n\\u00a0\\u00a0\\u00a0ipv6 access-group testIp6Acl out\\ninterface Ethernet3\\n\\u00a0\\u00a0\\u00a0ip access-group testIpAcl in\\ninterface Ethernet45\\n\\u00a0\\u00a0\\u00a0ipv6 access-group testIp6Acl2 out\\ninterface Ethernet46\\n\\u00a0\\u00a0\\u00a0ipv6 access-group testIp6Acl3 out\\ninterface Ethernet47\\n\\u00a0\\u00a0\\u00a0ipv6 access-group testIp6Acl4 out\\ninterface Vlan613\\n\\u00a0\\u00a0\\u00a0ip access-group testIpAcl out\\n \\nswitch\u003eshow port-channel 1 brief\\nPort Channel Port-Channel1:\\n\\u00a0\\u00a0Active Ports: Ethernet1 Ethernet5\\n \\nswitch\u003eshow vlan 613\\nVLAN\\u00a0 Name \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 Status\\u00a0 \\u00a0 Ports\\n----- -------------------------------- --------- -------------------------------\\n613 \\u00a0 VLAN0613 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 active\\u00a0 \\u00a0 Cpu, Et2, Et4\\n \\nswitch\u003eshow mac security interface Ethernet1-$ | grep True\\nEthernet1 \\u00a0 \\u00a0 \\u00a0 12:15:35:24:c0:89::24193\\u00a0 True \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 static SAK: Tx AN: 2\\nEthernet2 \\u00a0 \\u00a0 \\u00a0 12:15:35:24:c0:89::24193\\u00a0 True \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 static SAK: Tx AN: 2\\nEthernet5 \\u00a0 \\u00a0 \\u00a0 12:15:35:24:c0:89::24193\\u00a0 True \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 \\u00a0 static SAK: Tx AN: 2\\nEthernet45  \\u00a0 \\u00a0 12:15:35:24:c0:89::24193\\u00a0 True\\u00a0 \\u00a0 \\u00a0 \\u00a0  \\u00a0 \\u00a0 \\u00a0 \\u00a0 static SAK: Tx AN: 2\\n\\n\\n\\u00a0\\n\\nInterface\\u201cOut\\u201d ACLMinimum ACL count metMACsec enabledAffectedEt1YesYesYesYesEt2YesNo (only one IPv4 ACL)YesNoEt3NoNo (only one IPv4 ACL)NoNoEt4YesNo (only one IPv4 ACL)NoNoEt5YesYesYesYesEt45YesYesYesYesEt46YesYesNoNoEt47YesYesNoNo\\n\\n\\u00a0\\n\\nIn the above example and table:\\n\\n  *  Ethernet46 and Ethernet47 are not exposed to this issue, because they are not MACsec enabled.\\n  *  Ethernet2, Ethernet3, and Ethernet4 are not exposed to this issue because there is only one IPv4 ACL group, which is less than the required number to be exposed for that ACL type.\\n  *  Ethernet3 is also not affected because the ACL is for incoming packets.\\n  *  Ethernet1, Ethernet5, and Ethernet45 are affected by this issue because they meet the conditions required.\", \"supportingMedia\": [{\"type\": \"text/html\", \"base64\": false, \"value\": \"\u003cp\u003eIn the example below, there are more than 3 IPv6 ACLs applied for outbound packets. All physical interfaces that are MACsec enabled, and have an IPv6 ACL applied for outbound packets, are exposed to this issue.\u003c/p\u003e\u003cpre\u003eswitch#show running-config | section access-group\\ninterface Port-Channel1\\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ipv6 access-group testIp6Acl out\\ninterface Ethernet3\\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ip access-group testIpAcl in\\ninterface Ethernet45\\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ipv6 access-group testIp6Acl2 out\\ninterface Ethernet46\\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ipv6 access-group testIp6Acl3 out\\ninterface Ethernet47\\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ipv6 access-group testIp6Acl4 out\\ninterface Vlan613\\n\u0026nbsp;\u0026nbsp;\u0026nbsp;ip access-group testIpAcl out\\n \\nswitch\u0026gt;show port-channel 1 brief\\nPort Channel Port-Channel1:\\n\u0026nbsp;\u0026nbsp;Active Ports: Ethernet1 Ethernet5\\n \\nswitch\u0026gt;show vlan 613\\nVLAN\u0026nbsp; Name \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; Status\u0026nbsp; \u0026nbsp; Ports\\n----- -------------------------------- --------- -------------------------------\\n613 \u0026nbsp; VLAN0613 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; active\u0026nbsp; \u0026nbsp; Cpu, Et2, Et4\\n \\nswitch\u0026gt;show mac security interface Ethernet1-$ | grep True\\nEthernet1 \u0026nbsp; \u0026nbsp; \u0026nbsp; 12:15:35:24:c0:89::24193\u0026nbsp; True \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; static SAK: Tx AN: 2\\nEthernet2 \u0026nbsp; \u0026nbsp; \u0026nbsp; 12:15:35:24:c0:89::24193\u0026nbsp; True \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; static SAK: Tx AN: 2\\nEthernet5 \u0026nbsp; \u0026nbsp; \u0026nbsp; 12:15:35:24:c0:89::24193\u0026nbsp; True \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; static SAK: Tx AN: 2\\nEthernet45  \u0026nbsp; \u0026nbsp; 12:15:35:24:c0:89::24193\u0026nbsp; True\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp;  \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; static SAK: Tx AN: 2\\n\u003c/pre\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cb\u003eInterface\u003c/b\u003e\u003c/th\u003e\u003cth\u003e\u003cb\u003e\\u201cOut\\u201d ACL\u003c/b\u003e\u003c/th\u003e\u003cth\u003e\u003cb\u003eMinimum ACL count met\u003c/b\u003e\u003c/th\u003e\u003cth\u003e\u003cb\u003eMACsec enabled\u003c/b\u003e\u003c/th\u003e\u003cth\u003e\u003cb\u003eAffected\u003c/b\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eEt1\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEt2\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eNo (only one IPv4 ACL)\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEt3\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003ctd\u003eNo (only one IPv4 ACL)\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEt4\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eNo (only one IPv4 ACL)\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEt5\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEt45\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEt46\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEt47\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eIn the above example and table:\u003c/div\u003e\u003cul\u003e\u003cli\u003eEthernet46 and Ethernet47 are not exposed to this issue, because they are not MACsec enabled.\u003c/li\u003e\u003cli\u003eEthernet2, Ethernet3, and Ethernet4 are not exposed to this issue because there is only one IPv4 ACL group, which is less than the required number to be exposed for that ACL type.\u003c/li\u003e\u003cli\u003eEthernet3 is also not affected because the ACL is for incoming packets.\u003c/li\u003e\u003cli\u003eEthernet1, Ethernet5, and Ethernet45 are affected by this issue because they meet the conditions required.\u003c/li\u003e\u003c/ul\u003e\"}]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"The workaround is to disable MACsec on interfaces with outbound packet ACLs, or to use inbound packet ACLs where possible. Note that ingress ACLs might need to be applied to a different set of interfaces or to other devices in the network.\\n\\n\\n\\nswitch#configure\\nswitch(config)#interface Ethernet1\\nswitch(config-if-Et1)#no mac security profile\\n \\n! or remove/replace the `out` ACL\\n! Note that you may wish to apply `in` ACLs to a different set of\\n! interfaces than `out` ACLs were applied to.\\n \\nswitch#configure\\nswitch(config)#interface Ethernet1\\nswitch(config-if-Et1)#mac access-group \u003cACL name\u003e in\\nswitch(config-if-Et1)#ip access-group \u003cACL name\u003e in\\nswitch(config-if-Et1)#ipv6 access-group \u003cACL name\u003e in\\nswitch(config-if-Et1)#no mac access-group out\\nswitch(config-if-Et1)#no ip access-group out\\nswitch(config-if-Et1)#no ipv6 access-group out\\n\\n\\n\\n\\nFor more information about ACLs see\\u00a0 EOS User Manual: ACLs and Route Maps https://www.arista.com/en/um-eos/eos-acls-and-route-maps .\", \"supportingMedia\": [{\"type\": \"text/html\", \"base64\": false, \"value\": \"\u003cp\u003eThe workaround is to disable MACsec on interfaces with outbound packet ACLs, or to use inbound packet ACLs where possible. Note that ingress ACLs might need to be applied to a different set of interfaces or to other devices in the network.\u003c/p\u003e\u003cpre\u003eswitch#configure\u003cbr\u003eswitch(config)#interface Ethernet1\\nswitch(config-if-Et1)#no mac security profile\\n \\n! or remove/replace the `out` ACL\\n! Note that you may wish to apply `in` ACLs to a different set of\\n! interfaces than `out` ACLs were applied to.\\n \\nswitch#configure\u003cbr\u003eswitch(config)#interface Ethernet1\\nswitch(config-if-Et1)#mac access-group \u0026lt;ACL name\u0026gt; in\\nswitch(config-if-Et1)#ip access-group \u0026lt;ACL name\u0026gt; in\\nswitch(config-if-Et1)#ipv6 access-group \u0026lt;ACL name\u0026gt; in\\nswitch(config-if-Et1)#no mac access-group out\\nswitch(config-if-Et1)#no ip access-group out\\nswitch(config-if-Et1)#no ipv6 access-group out\\n\u003c/pre\u003e\u003cp\u003eFor more information about ACLs see\u0026nbsp;\u003ca href=\\\"https://www.arista.com/en/um-eos/eos-acls-and-route-maps\\\" target=\\\"_blank\\\" rel=\\\"noopener noreferrer\\\"\u003eEOS User Manual: ACLs and Route Maps\u003c/a\u003e.\u003c/p\u003e\"}]}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\\nFor more information about upgrading see  EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \\n\\nCVE-2024-27891 has been fixed in the following releases:\\n\\n  * 4.32.1F and later releases in the 4.32.x train \\n  * 4.31.3M and later releases in the 4.31.x train\\n  * 4.30.7M and later releases in the 4.30.x train\\n  * 4.29.8M and later releases in the 4.29.x train\\n  * 4.28.11M and later releases in the 4.28.x train\", \"supportingMedia\": [{\"type\": \"text/html\", \"base64\": false, \"value\": \"\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\u003cbr\u003eFor more information about upgrading see \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades\\\"\u003eEOS User Manual: Upgrades and Downgrades\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003eCVE-2024-27891 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e4.32.1F and later releases in the 4.32.x train\u003c/li\u003e\u003cli\u003e4.31.3M and later releases in the 4.31.x train\u003c/li\u003e\u003cli\u003e4.30.7M and later releases in the 4.30.x train\u003c/li\u003e\u003cli\u003e4.29.8M and later releases in the 4.29.x train\u003c/li\u003e\u003cli\u003e4.28.11M and later releases in the 4.28.x train\u003c/li\u003e\u003c/ul\u003e\"}]}], \"source\": {\"defect\": [\"BUG 906098\"], \"advisory\": \"102\", \"discovery\": \"INTERNAL\"}, \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"metrics\": [{\"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}], \"cvssV4_0\": {\"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"exploitMaturity\": \"NOT_DEFINED\", \"Safety\": \"NOT_DEFINED\", \"Automatable\": \"NOT_DEFINED\", \"Recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"version\": \"4.0\", \"baseSeverity\": \"MEDIUM\", \"baseScore\": 6.9, \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N\"}}, {\"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}], \"cvssV3_1\": {\"version\": \"3.1\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\", \"baseSeverity\": \"MEDIUM\", \"baseScore\": 5.3, \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\"}}]}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-27891\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-05T18:28:35.666431Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-05T18:28:43.519Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-27891\", \"assignerOrgId\": \"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"Arista\", \"dateReserved\": \"2024-02-26T18:06:32.161Z\", \"datePublished\": \"2026-06-04T22:08:42.522Z\", \"dateUpdated\": \"2026-06-05T18:28:50.823Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.