L2 Network Security Control Bypass Flaws Affect Multiple Cisco Products

Cisco confirmed this week that dozens of its enterprise routers and switches are affected by bypass vulnerabilities in Layer-2 (L2) network security controls.

An attacker can circumvent the controls provided by these enterprise devices by sending specially crafted packets that would trigger a denial of service (DoS) or allow them to perform a man-in-the-middle (MitM) attack. .

A total of four medium-severity security issues were found in L2 network security controls, Ethernet encapsulation protocols, the CERT Coordination Center (CERT/CC) at Carnegie Mellon University notes in an advisory .

Tracked as CVE-2021-27853, CVE-2021-27854, CVE-2021-27861, and CVE-2021-27862, each of these vulnerabilities represents a different type of Layer 2 network packet inspection bypass .

The bugs allow virtual local area network (VLAN) headers and 802.2 LLC/SNAP headers to be stacked, allowing an attacker to bypass a device’s various filtering capabilities, including IPv6 RA Guard, l stateful ARP inspection and IPv6 Neighbor Discovery (ND) protection.

“An attacker can bypass security controls and trick a locally connected target host into routing traffic to arbitrary destinations. Victimized devices experience either DoS (blackholing traffic) or MitM (observing unencrypted traffic and possibly breaking encryption),” the CERT/CC advisory reads.

CERT/CC says more than 200 vendors have been notified of these vulnerabilities, but only two of them have a confirmed impact, namely Cisco and Juniper Networks.

While Juniper Networks considers the severity of these bugs to be below their “release threshold”, Cisco issued an advisory this week to share details of potentially impacted devices.

The tech giant says several models of enterprise routers and switches running its IOS, IOS XE, IOS XR and NX-OS software are affected, as well as several models of small business switches, but notes that no updates Firmware updates will not be released for most impacted products.

According to Cisco, software releases 17.6.3 and 17.8.1 for IOS XE switches contain fixes for CVE-2021-27853.

CVE-2021-27854 and CVE-2021-27862, according to Cisco, do not impact its products. However, while investigating the potential impact of CVE-2021-27854 on its access points, the tech giant identified another medium-severity issue in these products.

Tracked as CVE-2022-20728, the security flaw could allow an “unauthenticated adjacent attacker to inject native VLAN packets to clients within non-native VLANs on an affected device,” Cisco says.

The company also notes that it is aware that proof-of-concept (PoC) exploit code targeting these vulnerabilities publicly exists.

Related: Cisco fixes high-severity vulnerabilities in enterprise switches

Related: Cisco Patches High-Severity Vulnerability in Security Solutions

Related: Cisco Patches Critical Vulnerability in Email Security Appliance

Ionut Argire is an international correspondent for SecurityWeek.

Previous columns by Ionut Arghire:
Key words:

Kevin M. Risinger