{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2024-27891",
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"state": "PUBLISHED",
"assignerShortName": "Arista",
"dateReserved": "2024-02-26T18:06:32.161Z",
"datePublished": "2026-06-04T22:08:42.522Z",
"dateUpdated": "2026-06-05T18:28:50.823Z"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista",
"dateUpdated": "2026-06-04T22:08:42.522Z"
},
"title": "On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports.",
"datePublic": "2024-07-23T16:00:00.000Z",
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"type": "CWE"
}
]
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"affected": [
{
"vendor": "Arista Networks",
"product": "EOS",
"platforms": [
"722XPM Series"
],
"versions": [
{
"status": "affected",
"version": "4.32.0",
"lessThanOrEqual": "4.32.0.1F",
"versionType": "custom"
},
{
"status": "affected",
"version": "4.31.0",
"lessThanOrEqual": "4.31.2F",
"versionType": "custom"
},
{
"status": "affected",
"version": "4.30.0",
"lessThanOrEqual": "4.30.6M",
"versionType": "custom"
},
{
"status": "affected",
"version": "4.29.0",
"lessThanOrEqual": "4.29.7M",
"versionType": "custom"
},
{
"status": "affected",
"version": "4.28.0",
"lessThanOrEqual": "4.28.10.1M",
"versionType": "custom"
},
{
"status": "affected",
"version": "4.27.2F",
"lessThan": "4.28.0",
"versionType": "custom"
}
],
"defaultStatus": "unaffected"
}
],
"descriptions": [
{
"lang": "en",
"value": "On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports. This can cause outgoing packets to incorrectly be allowed or denied.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports. This can cause outgoing packets to incorrectly be allowed or denied.
"
}
]
}
],
"references": [
{
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/19908-security-advisory-0102"
}
],
"configurations": [
{
"lang": "en",
"value": "In order to be vulnerable to CVE-2024-27891, multiple specific conditions must be met. Both MACsec and egress ACLs must be configured and active on the same interface as the minimum requirements for this issue to be exposed. Please review the following sections to identify if your organization is affected.\n\n * MACsec must be configured:\n\n\nswitch>show mac security status\nAdministrative State: enabled\nActive Profiles: 1\nData Delay Protection: no\nEAPoL Destination MAC: 0180.c200.0003\nFIPS Mode: no\nSecured Interfaces: 54\nLicense: enabled\n\n\n\n\nNote: active profiles is not 0, and number of secured interfaces is not 0\n\nIf MACsec is not configured there is no exposure to this issue and the message will include 0 Active Profiles, and 0 Secured Interfaces.\n\n\n\nswitch>show mac security status\nAdministrative State: enabled\nActive Profiles: 0\nData Delay Protection: no\nEAPoL Destination MAC: 0180.c200.0003\nFIPS Mode: no\nSecured Interfaces: 0\nLicense: disabled (Hardware license not enabled)\n\n\n \n\n\n * Access Control Lists (ACLs) must be configured for outbound packets:\n\n\nswitch#show running-config | section access-list\nipv6 access-list testIp6Acl\nip access-list testIpAcl\nmac access-list testMacAcl\n \nswitch#show running-config | section access-group\ninterface Ethernet1\n ip access-group testIpAcl out",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "
In order to be vulnerable to CVE-2024-27891, multiple specific conditions must be met. Both MACsec and egress ACLs must be configured and active on the same interface as the minimum requirements for this issue to be exposed. Please review the following sections to identify if your organization is affected.
switch>show mac security status\nAdministrative State: enabled\nActive Profiles: 1\nData Delay Protection: no\nEAPoL Destination MAC: 0180.c200.0003\nFIPS Mode: no\nSecured Interfaces: 54\nLicense: enabled\n
Note: active profiles is not 0, and number of secured interfaces is not 0
switch>show mac security status\nAdministrative State: enabled\nActive Profiles: 0\nData Delay Protection: no\nEAPoL Destination MAC: 0180.c200.0003\nFIPS Mode: no\nSecured Interfaces: 0\nLicense: disabled (Hardware license not enabled)\n
switch#show running-config | section access-list\nipv6 access-list testIp6Acl\nip access-list testIpAcl\nmac access-list testMacAcl\n \nswitch#show running-config | section access-group\ninterface Ethernet1\n ip access-group testIpAcl out\n
If for each ACL type in use, there are less than the above corresponding number configured there is no exposure to this issue.
! Notice no output below, indicating no ACLs configured\n! or notice ACLs are applied as “in” only.\nswitch#show running-config | section access-list\nswitch#\nswitch#show running-config | section access-group\ninterface Ethernet1\n ip access-group testIpAcl in\n
If no interfaces which have ACLs configured for outbound packets have MACsec configured, there is no exposure to this issue.
Note that interface types such as Vlan interfaces, or Port-Channel interfaces may have none, one or multiple physical interfaces.
To check for MACsec configuration, first resolve the access-group configured interfaces to a list of all Ethernet physical interfaces.
In the example below, there is an ACL applied to Port-Channel1 (Ethernet1, Ethernet5), Vlan613 (Ethernet2, Ethernet4) and Ethernet3. Therefore Ethernet1-5 should be checked to see if MACsec is enabled.
switch#show running-config | section access-group\ninterface Port-Channel1\n ipv6 access-group testIp6Acl out\ninterface Ethernet3\n ip access-group testIpAcl in\ninterface Vlan613\n ip access-group testIpAcl out\n \nswitch>show port-channel 1 brief\nPort Channel Port-Channel1:\n Active Ports: Ethernet1 Ethernet5\n \nswitch>show vlan 613\nVLAN Name Status Ports\n----- -------------------------------- --------- -------------------------------\n613 VLAN0613 active Cpu, Et2, Et4\n \nswitch>show mac security interface Ethernet1-5\nInterface SCI Controlled Port Key in Use\nEthernet1 12:15:35:24:c0:89::24193 True static SAK: Tx AN: 2\nEthernet2 00:00:00:00:00:00::0 False None\nEthernet5 12:15:35:24:c0:89::24193 True static SAK: Tx AN: 2\n
In the above example Ethernet1 and Ethernet5 have MACsec enabled.
In the example below, there are more than 3 IPv6 ACLs applied for outbound packets. All physical interfaces that are MACsec enabled, and have an IPv6 ACL applied for outbound packets, are exposed to this issue.
switch#show running-config | section access-group\ninterface Port-Channel1\n ipv6 access-group testIp6Acl out\ninterface Ethernet3\n ip access-group testIpAcl in\ninterface Ethernet45\n ipv6 access-group testIp6Acl2 out\ninterface Ethernet46\n ipv6 access-group testIp6Acl3 out\ninterface Ethernet47\n ipv6 access-group testIp6Acl4 out\ninterface Vlan613\n ip access-group testIpAcl out\n \nswitch>show port-channel 1 brief\nPort Channel Port-Channel1:\n Active Ports: Ethernet1 Ethernet5\n \nswitch>show vlan 613\nVLAN Name Status Ports\n----- -------------------------------- --------- -------------------------------\n613 VLAN0613 active Cpu, Et2, Et4\n \nswitch>show mac security interface Ethernet1-$ | grep True\nEthernet1 12:15:35:24:c0:89::24193 True static SAK: Tx AN: 2\nEthernet2 12:15:35:24:c0:89::24193 True static SAK: Tx AN: 2\nEthernet5 12:15:35:24:c0:89::24193 True static SAK: Tx AN: 2\nEthernet45 12:15:35:24:c0:89::24193 True static SAK: Tx AN: 2\n
| Interface | “Out” ACL | Minimum ACL count met | MACsec enabled | Affected |
|---|---|---|---|---|
| Et1 | Yes | Yes | Yes | Yes |
| Et2 | Yes | No (only one IPv4 ACL) | Yes | No |
| Et3 | No | No (only one IPv4 ACL) | No | No |
| Et4 | Yes | No (only one IPv4 ACL) | No | No |
| Et5 | Yes | Yes | Yes | Yes |
| Et45 | Yes | Yes | Yes | Yes |
| Et46 | Yes | Yes | No | No |
| Et47 | Yes | Yes | No | No |
The workaround is to disable MACsec on interfaces with outbound packet ACLs, or to use inbound packet ACLs where possible. Note that ingress ACLs might need to be applied to a different set of interfaces or to other devices in the network.
switch#configure
switch(config)#interface Ethernet1\nswitch(config-if-Et1)#no mac security profile\n \n! or remove/replace the `out` ACL\n! Note that you may wish to apply `in` ACLs to a different set of\n! interfaces than `out` ACLs were applied to.\n \nswitch#configure
switch(config)#interface Ethernet1\nswitch(config-if-Et1)#mac access-group <ACL name> in\nswitch(config-if-Et1)#ip access-group <ACL name> in\nswitch(config-if-Et1)#ipv6 access-group <ACL name> in\nswitch(config-if-Et1)#no mac access-group out\nswitch(config-if-Et1)#no ip access-group out\nswitch(config-if-Et1)#no ipv6 access-group out\n
For more information about ACLs see EOS User Manual: ACLs and Route Maps.
" } ] } ], "solutions": [ { "lang": "en", "value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.\nFor more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades \n\nCVE-2024-27891 has been fixed in the following releases:\n\n * 4.32.1F and later releases in the 4.32.x train \n * 4.31.3M and later releases in the 4.31.x train\n * 4.30.7M and later releases in the 4.30.x train\n * 4.29.8M and later releases in the 4.29.x train\n * 4.28.11M and later releases in the 4.28.x train", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.
For more information about upgrading see EOS User Manual: Upgrades and Downgrades