"L2 Network Security Control Bypass Flaws Impact Multiple Cisco Products"
Cisco recently confirmed that tens of its enterprise routers and switches are impacted by bypass vulnerabilities in the Layer-2 (L2) network security controls. Cisco noted that an attacker can bypass the controls provided by these enterprise devices by sending crafted packets that would trigger a denial-of-service (DoS) or allow them to perform a man-in-the-middle (MitM) attack. A total of four medium-severity security issues were found in the L2 network security controls, in the Ethernet encapsulation protocols, by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University. Tracked as CVE-2021-27853, CVE-2021-27854, CVE-2021-27861, and CVE-2021-27862, each of these vulnerabilities represents a different type of bypass of Layer 2 network packet inspection functionality. CERT/CC noted that the bugs allow for stacking of virtual local area network (VLAN) headers and 802.2 LLC/SNAP headers, enabling an attacker to bypass a device’s various filtering capabilities, including IPv6 RA Guard, Dynamic ARP inspection, and IPv6 Neighbor Discovery (ND) protection. CERT/CC says that more than 200 vendors have been warned of these vulnerabilities but that only two of them have confirmed impact, namely Cisco and Juniper Networks. Cisco noted that multiple enterprise router and switch models running its IOS, IOS XE, IOS XR, and NX-OS software are impacted, as well as several small business switch models, but notes that no firmware update will be released for most of the impacted products. According to Cisco, software releases 17.6.3 and 17.8.1 for IOS XE switches contain patches for CVE-2021-27853. CVE-2021-27854 and CVE-2021-27862, Cisco says, do not impact its products. However, while investigating the potential impact of CVE-2021-27854 on its access points, the tech giant identified another medium-severity issue in these products. Tracked as CVE-2022-20728, the security flaw could allow an unauthenticated, adjacent attacker to inject packets from the native VLAN to clients within nonnative VLANs on an affected device.
SecurityWeek reports: "L2 Network Security Control Bypass Flaws Impact Multiple Cisco Products"