CVE-2024-12378 is a critical vulnerability affecting Arista Networks CloudVision Portal versions 4.27.0 through 4.32.0, specifically on platforms running Arista EOS with secure VXLAN configured. The vulnerability arises when the Tunnelsec agent, responsible for securing VXLAN tunnels, is restarted. During this restart process, packets that are normally encrypted and transmitted securely over VXLAN tunnels are instead sent in cleartext. This cleartext transmission of sensitive information constitutes a CWE-319 weakness, exposing potentially confidential data to interception by unauthorized parties. The vulnerability has a CVSS v3.1 base score of 9.1, reflecting its critical nature, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact on confidentiality and integrity is high, as attackers can eavesdrop on or manipulate sensitive network traffic during the vulnerable window. Availability is not affected. Although no known exploits are currently reported in the wild, the ease of exploitation and severity of impact make this a significant risk for organizations relying on Arista's CloudVision Portal for network management and VXLAN security. The vulnerability highlights a critical flaw in the secure tunnel reinitialization process, which could be leveraged by attackers with network access to intercept sensitive data or potentially conduct further attacks within the compromised network segment.

For European organizations, this vulnerability poses a substantial risk to the confidentiality and integrity of internal network communications, especially for enterprises and service providers utilizing Arista EOS and CloudVision Portal to manage VXLAN-based network overlays. The exposure of sensitive data in cleartext during Tunnelsec agent restarts could lead to unauthorized disclosure of proprietary information, credentials, or network topology details. This risk is particularly acute for sectors with stringent data protection requirements such as finance, healthcare, telecommunications, and critical infrastructure. Additionally, the vulnerability could be exploited by malicious insiders or external attackers who gain network access, potentially facilitating lateral movement or further compromise. The lack of availability impact means network operations may continue uninterrupted, potentially delaying detection of the breach. Given the criticality of network infrastructure in European digital ecosystems and regulatory frameworks like GDPR emphasizing data confidentiality, this vulnerability could result in regulatory penalties, reputational damage, and operational disruptions if exploited.

Organizations should immediately assess their deployment of Arista EOS and CloudVision Portal versions 4.27.0 through 4.32.0 with secure VXLAN configured. Until a vendor patch is available, network administrators should avoid restarting the Tunnelsec agent during production hours or implement maintenance windows with heightened monitoring. Network segmentation and strict access controls should be enforced to limit exposure of VXLAN tunnels to trusted devices and personnel only. Deploying network intrusion detection systems (NIDS) capable of detecting anomalous cleartext VXLAN traffic can provide early warning of exploitation attempts. Additionally, organizations should consider implementing out-of-band management for network devices to reduce the risk of unauthorized agent restarts. Once Arista releases a patch, prompt testing and deployment are critical. Regular audits of network configurations and logs should be conducted to detect any unauthorized cleartext transmissions. Finally, organizations should update incident response plans to include this vulnerability and train staff on recognizing related attack indicators.