Cisco this week has confirmed that tens of its enterprise routers and switches are impacted by bypass vulnerabilities in the Layer-2 (L2) network security controls.
An attacker can bypass the controls provided by these enterprise devices by sending crafted packets that would trigger a denial-of-service (DoS) or allow them to perform a man-in-the-middle (MitM) attack.
A total of four medium-severity security issues were found in the L2 network security controls, in the Ethernet encapsulation protocols, the CERT Coordination Center (CERT/CC) at the Carnegie Mellon University notes in an advisory.
Tracked as CVE-2021-27853, CVE-2021-27854, CVE-2021-27861 and CVE-2021-27862, each of these vulnerabilities represents a different type of bypass of Layer 2 network packet inspection functionality.
The bugs allow for stacking of virtual local area network (VLAN) headers and 802.2 LLC/SNAP headers, enabling an attacker to bypass a device’s various filtering capabilities, including IPv6 RA Guard, Dynamic ARP inspection, and IPv6 Neighbor Discovery (ND) protection.
“An attacker can bypass security controls and deceive a locally connected target host to route traffic to arbitrary destinations. Victim devices experience either a DoS (blackholing traffic) or MitM (observing the unencrypted traffic and maybe breaking encryption),” CERT/CC’s advisory reads.
CERT/CC says that more than 200 vendors have been warned of these vulnerabilities, but that only two of them have confirmed impact, namely Cisco and Juniper Networks.
While Juniper Networks considers the severity of these bugs to be under their “threshold for publication,” this week Cisco issued an advisory to share details on potentially impacted devices.
The tech giant says that multiple enterprise router and switch models running its IOS, IOS XE, IOS XR, and NX-OS software are impacted, as well as several small business switch models, but notes that no firmware update will be released for most of the impacted products.
According to Cisco, software releases 17.6.3 and 17.8.1 for IOS XE switches contain patches for CVE-2021-27853.
CVE-2021-27854 and CVE-2021-27862, Cisco says, do not impact its products. However, while investigating the potential impact of CVE-2021-27854 on its access points, the tech giant identified another medium-severity issue in these products.
Tracked as CVE-2022-20728, the security flaw could allow an “unauthenticated, adjacent attacker to inject packets from the native VLAN to clients within nonnative VLANs on an affected device,” Cisco explains.
The company also notes that it is aware that proof-of-concept (PoC) exploit code targeting these vulnerabilities exists publicly.