cisco-sa-vu855201-j3z8cktx
Vulnerability from csaf_cisco
Published
2022-09-27 16:00
Modified
2022-10-05 18:16
Summary
Vulnerabilities in Layer 2 Network Security Controls Affecting Cisco Products: September 2022
Notes
Summary
On September 27, 2022, the following vulnerabilities affecting Cisco products were disclosed by Cert/CC as part of VU855201, titled L2 network security controls can be bypassed using VLAN 0 stacking and/or 802.3 headers ["https://kb.cert.org/vuls/id/855201"]:
CVE-2021-27853: Layer 2 network filtering capabilities such as IPv6 RA guard or ARP inspection can be bypassed using a combination of VLAN 0 headers and LLC/SNAP headers.
CVE-2021-27854: Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using a combination of VLAN 0 headers, LLC/SNAP headers in Ethernet to Wifi frame translation, and in the reverse—Wifi to Ethernet.
CVE-2021-27861: Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length (and optionally VLAN0 headers).
CVE-2021-27862: Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length and Ethernet to Wifi frame conversion (and optionally VLAN0 headers).
Exploitation of these vulnerabilities could allow an adjacent attacker to bypass configured first-hop security (FHS) features on the affected Cisco products.
For more information about these vulnerabilities, see the Details ["#details"] section of this advisory.
This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-VU855201-J3z8CKTX ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-VU855201-J3z8CKTX"]
Affected Products
The Vulnerable Products ["#vp"] section includes Cisco bug IDs for each affected product. The bugs are accessible through the Cisco Bug Search Tool ["https://bst.cloudapps.cisco.com/bugsearch/bug/BUGID"] and will contain additional platform-specific information, including workarounds (if available) and fixed software releases (if available).
Any product or service not listed in the Vulnerable Products ["#vp"] section of this advisory is to be considered not vulnerable.
Vulnerable Products
CVE-2021-27853
The following table lists Cisco products that are affected by the vulnerability that is described in CVE-2021-27853. See the Details ["#details"] section of this advisory for more information about affected configurations.
Note: End of life products have not been evaluated.
Cisco Product Cisco Bug ID Additional Information Cisco IOS Software - Switches Catalyst 6500 and 6800 Series Switches CSCwa06145 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa06145"] Fixed software will not be made available. Catalyst Digital Building Series Switches CSCwa14942 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa14942"] Fixed software will not be made available. Industrial Ethernet Switches CSCvw99743 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw99743"] Fixed software will not be made available. Micro Switches CSCwa14271 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa14271"] Fixed software will not be made available. Cisco IOS XE Software - Switches Catalyst 4500 IOS-XE Switches CSCwa18093 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa18093"] Fixed software will not be made available. IOS XE Switches CSCvz91291 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz91291"]
CSCwb01481 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb01481"] CSCvz91291 affects Cisco IOS XE Software releases 17.6.1 and later. A fix is available for all FHS features except Dynamic ARP inspection.
CSCwb01481 is relevant for Dynamic ARP Inspection and impacts all releases. Fixed Software will not be made available. Cisco IOS XE Software - Routers IOS XE Routers configured with Ethernet virtual circuits CSCvz96133 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz96133"] Fixed software will not be made available. Cisco IOS XR Software IOS XR Routers configured with L2 Transport services CSCvz88705 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz88705"]
CSCvz89602 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz89602"] Fixed software will not be made available. Cisco Meraki - Switches MS390 N/A Impact is only for Dynamic ARP Inspection. Fixed software will not be made available. MS210
MS225
MS250
MS350
MS355
MS410
MS420
MS425
MS450 N/A Fixed software will not be made available. Cisco NX-OS Software Nexus 3000 Series Switches CSCvx33758 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx33758"] Fixed software will not be made available. Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches CSCvx35087 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx35087"] Fixed software will not be made available. Nexus 7000 Series Switches CSCvx35085 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx35085"] Fixed software will not be made available. Nexus 9000 Series Switches (Standalone Mode) CSCvx33758 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx33758"] Fixed software will not be made available. Cisco Small Business Switches 250 Series Smart Switches
350 Series Managed Switches
350X Series Stackable Managed Switches
550X Series Stackable Managed Switches
Business 250 Series Smart Switches
Business 350 Series Managed Switches CSCvw92154 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw92154"] Fixed software will not be made available. CVE-2021-27854
Cisco Access Points
Cisco evaluated this vulnerability based on its impact on FHS features that are configured on Cisco Access Points. No impact was observed.
As part of the investigation into the impact to Cisco Access Points, another vulnerability was found, and a companion advisory has been published: Cisco Access Points VLAN Bypass from Native VLAN Vulnerability ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apvlan-TDTtb4FY"].
CVE-2021-27861
The following table lists Cisco products that are affected by the vulnerability that is described in CVE-2021-27861. See the Details ["#details"] section of this advisory for more information about affected configurations.
Note: End of life products have not been evaluated.
Cisco Product Cisco Bug ID Additional Information Cisco IOS Software - Switches Catalyst 6500 and 6800 Series Switches CSCwa06265 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa06265"] Fixed software will not be made available. Catalyst Digital Building Series Switches CSCwa14950 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa14950"] Fixed software will not be made available. Micro Switches CSCwa14282 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa14282"] Fixed software will not be made available. Cisco IOS XR Software IOS XR Routers configured with L2 Transport services CSCwa04809 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa04809"] Fixed software will not be made available. Cisco Meraki - Switches MS210
MS225
MS250
MS350
MS355
MS410
MS420
MS425
MS450 N/A Fixed software will not be made available. Cisco NX-OS Software Nexus 3000 Series Switches CSCwa01097 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa01097"] Fixed software will not be made available. Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches CSCwa18209 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa18209"] Fixed software will not be made available. Nexus 7000 Series Switches CSCwa18310 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa18310"] Fixed software will not be made available. Nexus 9000 Series Switches (Standalone Mode) CSCwa01097 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa01097"] Fixed software will not be made available. Cisco Small Business Switches 250 Series Smart Switches
350 Series Managed Switches
350X Series Stackable Managed Switches
550X Series Stackable Managed Switches
Business 250 Series Smart Switches
Business 350 Series Managed Switches CSCwa09081 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa09081"] Fixed software will not be made available. CVE-2021-27862
Cisco evaluated this vulnerability based on its impact on FHS features that are configured on Cisco Access points. No impact was observed.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability.
CVE-2021-27853
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
ONT Switches
Catalyst PON Series Switches
IOS Switches
Catalyst 1000 Series Switches
IOS XE Platforms
Catalyst 8000 Series Edge Platforms
NX-OS Software
MDS 9000 Series Multilayer Switches
Nexus 1000V Series Switches
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode
UCS 6x00 Series Fabric Interconnects
Meraki Switches
GS110 Switches
MS22 Switches
MS42 Switches
MS120 Switches
MS125 Switches
MS220 Switches
MS320 Switches
CVE-2021-27854
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
Access Points
AireOS Access Points
Meraki Access Points
CVE-2021-27861
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
ONT Switches
Catalyst PON Series Switches
IOS Switches
Catalyst 1000 Series Switches
Industrial Ethernet Switches
IOS XE Routers
IOS XE Routers when configured with Ethernet virtual circuits
IOS XE Software Switches
Catalyst 3650 Series Switches
Catalyst 3850 Series Switches
Catalyst 4500E and 4500X Series Switches
Catalyst 9000 Series Switches
Meraki Switches
GS110 Switches
MS22 Switches
MS42 Switches
MS120 Switches
MS125 Switches
MS220 Switches
MS320 Switches
MS390 Switches
NX-OS Software
MDS 9000 Series Multilayer Switches
Nexus 1000V Series Switches
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode
UCS 6x00 Series Fabric Interconnects
CVE-2021-27862
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
Access Points
AireOS Access Points
Meraki Access Points
Details
The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.
CVE-2021-27853
A vulnerability in the processing of stacked Ethernet tag headers of multiple Cisco products could allow an unauthenticated, adjacent attacker to bypass the FHS feature of an affected device.
This vulnerability is due to the platforms forwarding frames when the upper-layer protocol cannot be determined to invoke a Layer 3 FHS feature. An attacker could exploit this vulnerability by sending packets with stacked VLAN Ethernet headers. A successful exploit could allow the attacker to bypass the FHS feature of an affected device.
Cisco has not released software updates that address this vulnerability. There are workarounds that address this vulnerability.
CVE ID: CVE-2021-27853
Security Impact Rating (SIR): Medium
CVSS Base Score: 4.7
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
CVE-2021-27853: Additional Details
The IEEE Std 802.1Q-2018 standard incorporates a priority-tagged frame whose tag header carries priority information but no VLAN identification information. The VLAN identifier is set to 0 and is typically carried in a single 802.1Q header between the source MAC address and the Ethertype/size field.
In networks where VLAN tagging is used, there is typically a single 802.1Q header between the source MAC address and the Ethertype/size field. IEEE 802.1AD has double tagging and includes the S-TAG and C-TAG headers between the source MAC address and the Ethertype/size field.
The IEEE Std 802.1Q-2018 does not specify that there should be no more than two tags present, but Cisco products have a limit on how many tags can be inspected to establish the upper-layer protocols (determined by the Ethertype field), whether a packet is classified as IPv4 or IPv6, and whether it is subject to additional Layer 3 feature processing. If these things cannot be determined, the packet is forwarded based on the Layer 2 information, depending on the device configuration.
Depending on the implementation of the next device that receives the frame, the frame may be dropped as invalid or the priority tags may be removed and processed. These actions are dependent on the implementation of the receiving host operating system.
CVE-2021-27853: Cisco Network Operating Systems
This section provides specific details about how the different affected Cisco network operating systems handle Ethernet frames with a VLAN ID 0 tag.
Cisco IOS Software – Switches
By default, all of the affected Cisco IOS Switches process inbound packets with the frame header that contains a VLAN ID 0 tag. Cisco products have a limit on how many tags can be inspected to establish the upper-layer protocols.
Note: Cisco IOS Switches that have reached end of life have not been evaluated by the Cisco Product Security Incident Response Team (PSIRT).
Cisco IOS XE Software – Switches
By default, Cisco Catalyst 4500E Series switches process an inbound packet with the frame header that contains a VLAN ID 0 tag. Cisco products have a limit on how many tags can be inspected to establish the upper-layer protocols.
The default behavior of a Cisco IOS XE Switch is to drop all traffic that has a frame header that contains a VLAN ID 0 tag. The switch only processes frames with a VLAN ID 0 tag if the access port is configured as follows:
switchport voice vlan dot1p
Cisco IOS XE Software – Routers
Cisco IOS XE devices that are configured with service instances handle the VLAN ID 0 tag in accordance with their configurations. For VLAN-based services, the top one or two tags are inspected based on configuration and map to the appropriate service instance on the longest match rules.
Service instance-based configurations that contain encapsulation dot1q priority-tagged, encapsulation dot1q priority-tagged exact, or encapsulation default are affected by this vulnerability.
The order of matching a service instance for VLAN ID 0 is based on encapsulation dot1q priority-tagged first and then encapsulation default. Cisco IOS XE Software does not match on encapsulation dot1q any for VLAN ID 0 tags.
Cisco IOS XR Software
Cisco IOS XR Software running on Layer 2 Transport interfaces handles a VLAN ID 0 tag in accordance with the configurations applied to the device. For port-based services, the packets are forwarded with no inspection. For VLAN-based services, either the top tag or the top two tags are inspected based on configuration and map to the appropriate attachment circuit based on the longest match rules. Fore more information, see IOS XR L2VPN Services and Features ["https://www.cisco.com/c/en/us/support/docs/routers/asr-9000-series-aggregation-services-routers/116453-technote-ios-xr-l2vpn-00.html#anc6"].
Configurations that contain encapsulation dot1q priority-tagged, encapsulation dot1q priority-tagged exact, or encapsulation default on Layer 2 Transport VLAN-based configurations are affected by this vulnerability.
Cisco NX-OS Software
By default, Cisco NX-OS Software processes an inbound packet with the frame header containing a VLAN ID 0 tag. The initial VLAN ID 0 tag is stripped and then processed in accordance with the rest of the packet contents. Cisco products have a limit on how many tags can be inspected to establish the upper-layer protocols.
Cisco Small Business Switches
By default, Cisco Small Business Switches process an inbound packet with the frame header that contains a VLAN ID 0 tag. Cisco products have a limit on how many tags can be inspected to establish the upper-layer protocols.
CVE-2021-27854
CVE-2021-27854 examines the way frames are converted between 802.11 and 802.3 with the injection of VLAN tags in the SNAP headers.
Cisco evaluated this vulnerability for any impact to the security features on wireless access points when handling these frame conversions. Cisco found that no configured FHS features were bypassed.
CVE ID: CVE-2021-27854
Security Impact Rating (SIR): Medium
CVSS Base Score: 4.7
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
CVE-2021-27861
A vulnerability in the Ethernet processing of multiple Cisco products could allow an unauthenticated, adjacent attacker to bypass the FHS feature of an affected device.
This vulnerability is due to insufficient validation of SNAP/LLC Ethernet frames. An attacker could exploit this vulnerability by sending packets with a crafted (or not crafted, depending on the product) SNAP/LLC Ethernet header. A successful exploit could allow the attacker to bypass the FHS feature of an affected device.
Cisco has not released software updates that address this vulnerability. There are workarounds that address this vulnerability for some products.
CVE ID: CVE-2021-27861
Security Impact Rating (SIR): Medium
CVSS Base Score: 4.7
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
CVE-2021-27861: Cisco Network Operating Systems
This section provides specific details about how the different affected Cisco network operating systems handle SNAP/LLC Ethernet frames.
Cisco IOS Software – Switches
The affected Cisco IOS Software products forward SNAP/LLC frames without additional FHS feature inspection.
Cisco IOS XR Software
The affected Cisco IOS XR Software products forward SNAP/LLC frames without additional FHS feature inspection.
Cisco NX-OS Software
The affected Cisco NX-OS Software products forward SNAP/LLC frames without any additional FHS feature inspection.
Cisco Small Business Switches
The affected Cisco Small Business Switches correctly apply FHS features for SNAP/LLC frames with a length field of up to 1,500. However, SNAP/LLC frames with lengths of 1,501 through 1,535 are forwarded without additional FHS feature inspection.
CVE-2021-27862
CVE-2021-27862 examines the way frames are converted between 802.3 to 802.11 and the length field.
Cisco evaluated this vulnerability for any impact to the security features on wireless access points when handling these frame conversions. Cisco found that no configured FHS features were bypassed.
CVE ID: CVE-2021-27862
Security Impact Rating (SIR): Medium
CVSS Base Score: 4.7
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Workarounds
There are workarounds that address some of these vulnerabilities.
CVE-2021-27853
Administrators may drop packets that cannot have their ethertype detected using a Layer 2 access control list (ACL) or where tags are not expected to drop tagged traffic. If a single dot1P header is received, it will still be processed correctly if the network operating system supports it.
The following are examples of Layer 2 ACLs that could be implemented on access ports where FHS has been configured:
Cisco IOS Software – Switches
!
mac access-list extended CSCwa14271
permit any any 0x86DD 0x0
permit any any 0x800 0x0
permit any any 0x806 0x0
deny any any
!
interface GigabitEthernet1/0/1
switchport access vlan 5
switchport voice vlan dot1p
ipv6 nd raguard attach-policy HOSTS
mac access-group CSCwa14271 in
!
Cisco IOS XE Software – Switches
For Cisco IOS XE Software on switches, impact to all FHS features occurs on Cisco IOS Software releases 17.6.1 and later, but earlier than the first fixed release. The issue will not be seen if the access port VLAN also has an active switched virtual interface (SVI). If there are access ports in VLAN 5, for example, this issue will be observed only if interface vlan 5 is not configured. To mitigate this issue for vulnerable releases of Cisco IOS Software, administrators can ensure that each VLAN assigned to access ports has a corresponding SVI configured.
For Cisco IOS XE Software on switches, Dynamic ARP Inspection is affected on all releases. Administrators can configure static ARP entries for the default gateways and critical servers and hosts off the segments that are being protected to protect the critical assets in the environment.
Cisco IOS XE Software – Routers
For configurations that have a service instance with encapsulation priority-tagged and where the environment needs to examine only the first tag (depending on the platform), administrators can either add the keyword exact after the encapsulation priority-tagged or filter on the ethertype field with encapsulation priority-tagged etype ipv4 , ipv6.
For environments that do not have encapsulation priority-tagged assigned to a service instance, to prevent packets that are tagged with dot1p at the front of the headers from being forwarded, administrators can configure a service instance that is not assigned to a bridge domain with encapsulation priority-tagged.
Cisco IOS XR Software
For configurations that have an l2transport sub interface configured with encapsulation dot1q|dot1ad priority-tagged and where the environment needs to examine only the first tag (depending on the platform), administrators can add the keyword exact after the encapsulation dot1q|dot1ad priority-tagged.
For environments that do not have encapsulation dot1q|dot1ad priority-tagged assigned to an l2transport sub interface, to prevent packets that are tagged with dot1p at the front of the headers from being forwarded, administrators can configure l2transport sub interfaces that are not assigned to a bridge domain with encapsulation dot1q priority-tagged and encapsulation dot1ad priority-tagged.
Cisco NX-OS Software
!
mac access-list drop_three_tags
deny any any 0x8100
deny any any 0x88a8
permit any any
!
interface ethernet 1/4
mac port access-group drop_three_tags
!
Cisco Small Business Switches
To ensure that FHS works correctly on access ports, install a MAC ACL to deny only tagged frames (because they are not to be expected on an access port) or to permit only ARP, IPv4, and IPv6 on all access ports. The following is an example from the Cisco Sx250, 350, and 550 Series Smart Switches and the Cisco Business 250 and 350 Series Smart Switches:
mac access-list extended arp-ip-ip6
permit any any 806 0000 ace-priority 1
permit any any 800 0000 ace-priority 2
permit any any 86dd 0000 ace-priority 3
CVE-2021-27861
The principle for mitigating CVE-2021-27861 is to drop any packets that cannot have their Layer 3 protocol detected using a Layer 2 ACL.
The following are examples of Layer 2 ACLs that could be implemented on access ports where FHP has been configured:
Cisco IOS Software – Switches
No mitigations or workarounds.
Cisco IOS XR Software
No mitigations or workarounds.
Cisco NX-OS Software
!
interface Ethernet1/3
switchport
switchport access vlan 5
mac port access-group drop_non
ipv6 nd raguard attach-policy HOSTS
!
interface Ethernet1/4
switchport
switchport access vlan 5
mac port access-group drop_non
ipv6 nd raguard attach-policy CSCvw92154
!
mac access-list drop_non
10 permit any any 0x86dd
20 permit any any ip
30 permit any any 0x806
35 permit any 0100.0ccc.cccc 0000.0000.0000
40 deny any any
!
Cisco Small Business Switches
No mitigations or workarounds.
While these workarounds have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
Fixed Software
When considering software upgrades ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page ["https://www.cisco.com/go/psirt"], to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Fixed Releases CVE-2021-27853
At the time of publication, the release information in the following table was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
Product Cisco Bug ID First Fixed Release Cisco IOS XE Switches CSCvz91291 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz91291"] 17.6.3
17.8.1 CVE-2021-27854
Cisco evaluated this vulnerability based on its impact on FHS features configured on the access points. No impact was observed.
CVE-2021-27861
At the time of publication, Cisco had not released updates that address this vulnerability for any Cisco product.
CVE-2021-27862
Cisco evaluated this vulnerability based on its impact on FHS features configured on the access points. No impact was observed.
The Cisco PSIRT validates only the affected and fixed release information that is documented in this advisory.
Vulnerability Policy
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Exploitation and Public Announcements
The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory.
The Cisco PSIRT is not aware of any malicious use of the vulnerabilities that are described in this advisory.
Source
Cisco would like to thank Etienne Champetier for reporting these vulnerabilities and Cert/CC for the coordination.
Legal Disclaimer
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
{
"document": {
"acknowledgments": [
{
"summary": "Cisco would like to thank Etienne Champetier for reporting these vulnerabilities and Cert/CC for the coordination."
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"notes": [
{
"category": "summary",
"text": "On September 27, 2022, the following vulnerabilities affecting Cisco products were disclosed by Cert/CC as part of VU855201, titled L2 network security controls can be bypassed using VLAN 0 stacking and/or 802.3 headers [\"https://kb.cert.org/vuls/id/855201\"]:\r\n\r\nCVE-2021-27853: Layer 2 network filtering capabilities such as IPv6 RA guard or ARP inspection can be bypassed using a combination of VLAN 0 headers and LLC/SNAP headers.\r\nCVE-2021-27854: Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using a combination of VLAN 0 headers, LLC/SNAP headers in Ethernet to Wifi frame translation, and in the reverse\u2014Wifi to Ethernet.\r\nCVE-2021-27861: Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length (and optionally VLAN0 headers).\r\nCVE-2021-27862: Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length and Ethernet to Wifi frame conversion (and optionally VLAN0 headers).\r\n\r\nExploitation of these vulnerabilities could allow an adjacent attacker to bypass configured first-hop security (FHS) features on the affected Cisco products.\r\n\r\nFor more information about these vulnerabilities, see the Details [\"#details\"] section of this advisory.\r\n\r\nThis advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-VU855201-J3z8CKTX [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-VU855201-J3z8CKTX\"]",
"title": "Summary"
},
{
"category": "general",
"text": "The Vulnerable Products [\"#vp\"] section includes Cisco bug IDs for each affected product. The bugs are accessible through the Cisco Bug Search Tool [\"https://bst.cloudapps.cisco.com/bugsearch/bug/BUGID\"] and will contain additional platform-specific information, including workarounds (if available) and fixed software releases (if available).\r\n\r\nAny product or service not listed in the Vulnerable Products [\"#vp\"] section of this advisory is to be considered not vulnerable.",
"title": "Affected Products"
},
{
"category": "general",
"text": "CVE-2021-27853\r\nThe following table lists Cisco products that are affected by the vulnerability that is described in CVE-2021-27853. See the Details [\"#details\"] section of this advisory for more information about affected configurations.\r\n\r\nNote: End of life products have not been evaluated.\r\n Cisco Product Cisco Bug ID Additional Information Cisco IOS Software - Switches Catalyst 6500 and 6800 Series Switches CSCwa06145 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa06145\"] Fixed software will not be made available. Catalyst Digital Building Series Switches CSCwa14942 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa14942\"] Fixed software will not be made available. Industrial Ethernet Switches CSCvw99743 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw99743\"] Fixed software will not be made available. Micro Switches CSCwa14271 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa14271\"] Fixed software will not be made available. Cisco IOS XE Software - Switches Catalyst 4500 IOS-XE Switches CSCwa18093 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa18093\"] Fixed software will not be made available. IOS XE Switches CSCvz91291 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz91291\"]\r\nCSCwb01481 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb01481\"] CSCvz91291 affects Cisco IOS XE Software releases 17.6.1 and later. A fix is available for all FHS features except Dynamic ARP inspection.\r\n\r\nCSCwb01481 is relevant for Dynamic ARP Inspection and impacts all releases. Fixed Software will not be made available. Cisco IOS XE Software - Routers IOS XE Routers configured with Ethernet virtual circuits CSCvz96133 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz96133\"] Fixed software will not be made available. Cisco IOS XR Software IOS XR Routers configured with L2 Transport services CSCvz88705 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz88705\"]\r\nCSCvz89602 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz89602\"] Fixed software will not be made available. Cisco Meraki - Switches MS390 N/A Impact is only for Dynamic ARP Inspection. Fixed software will not be made available. MS210\r\nMS225\r\nMS250\r\nMS350\r\nMS355\r\nMS410\r\nMS420\r\nMS425\r\nMS450 N/A Fixed software will not be made available. Cisco NX-OS Software Nexus 3000 Series Switches CSCvx33758 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx33758\"] Fixed software will not be made available. Nexus 5500 Platform Switches\r\nNexus 5600 Platform Switches\r\nNexus 6000 Series Switches CSCvx35087 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx35087\"] Fixed software will not be made available. Nexus 7000 Series Switches CSCvx35085 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx35085\"] Fixed software will not be made available. Nexus 9000 Series Switches (Standalone Mode) CSCvx33758 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx33758\"] Fixed software will not be made available. Cisco Small Business Switches 250 Series Smart Switches\r\n350 Series Managed Switches\r\n350X Series Stackable Managed Switches\r\n550X Series Stackable Managed Switches\r\nBusiness 250 Series Smart Switches\r\nBusiness 350 Series Managed Switches CSCvw92154 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw92154\"] Fixed software will not be made available. CVE-2021-27854\r\nCisco Access Points\r\n\r\nCisco evaluated this vulnerability based on its impact on FHS features that are configured on Cisco Access Points. No impact was observed.\r\n\r\nAs part of the investigation into the impact to Cisco Access Points, another vulnerability was found, and a companion advisory has been published: Cisco Access Points VLAN Bypass from Native VLAN Vulnerability [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apvlan-TDTtb4FY\"].\r\n CVE-2021-27861\r\nThe following table lists Cisco products that are affected by the vulnerability that is described in CVE-2021-27861. See the Details [\"#details\"] section of this advisory for more information about affected configurations.\r\n\r\nNote: End of life products have not been evaluated.\r\n Cisco Product Cisco Bug ID Additional Information Cisco IOS Software - Switches Catalyst 6500 and 6800 Series Switches CSCwa06265 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa06265\"] Fixed software will not be made available. Catalyst Digital Building Series Switches CSCwa14950 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa14950\"] Fixed software will not be made available. Micro Switches CSCwa14282 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa14282\"] Fixed software will not be made available. Cisco IOS XR Software IOS XR Routers configured with L2 Transport services CSCwa04809 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa04809\"] Fixed software will not be made available. Cisco Meraki - Switches MS210\r\nMS225\r\nMS250\r\nMS350\r\nMS355\r\nMS410\r\nMS420\r\nMS425\r\nMS450 N/A Fixed software will not be made available. Cisco NX-OS Software Nexus 3000 Series Switches CSCwa01097 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa01097\"] Fixed software will not be made available. Nexus 5500 Platform Switches\r\nNexus 5600 Platform Switches\r\nNexus 6000 Series Switches CSCwa18209 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa18209\"] Fixed software will not be made available. Nexus 7000 Series Switches CSCwa18310 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa18310\"] Fixed software will not be made available. Nexus 9000 Series Switches (Standalone Mode) CSCwa01097 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa01097\"] Fixed software will not be made available. Cisco Small Business Switches 250 Series Smart Switches\r\n350 Series Managed Switches\r\n350X Series Stackable Managed Switches\r\n550X Series Stackable Managed Switches\r\nBusiness 250 Series Smart Switches\r\nBusiness 350 Series Managed Switches CSCwa09081 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa09081\"] Fixed software will not be made available. CVE-2021-27862\r\nCisco evaluated this vulnerability based on its impact on FHS features that are configured on Cisco Access points. No impact was observed.",
"title": "Vulnerable Products"
},
{
"category": "general",
"text": "Only products listed in the Vulnerable Products [\"#vp\"] section of this advisory are known to be affected by this vulnerability.\r\n CVE-2021-27853\r\nCisco has confirmed that this vulnerability does not affect the following Cisco products:\r\n\r\nONT Switches\r\n\r\nCatalyst PON Series Switches\r\n\r\nIOS Switches\r\n\r\nCatalyst 1000 Series Switches\r\n\r\nIOS XE Platforms\r\n\r\nCatalyst 8000 Series Edge Platforms\r\n\r\nNX-OS Software\r\n\r\n\r\nMDS 9000 Series Multilayer Switches\r\nNexus 1000V Series Switches\r\nNexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode\r\nUCS 6x00 Series Fabric Interconnects\r\n\r\nMeraki Switches\r\n\r\nGS110 Switches\r\nMS22 Switches\r\nMS42 Switches\r\nMS120 Switches\r\nMS125 Switches\r\nMS220 Switches\r\nMS320 Switches\r\n CVE-2021-27854\r\nCisco has confirmed that this vulnerability does not affect the following Cisco products:\r\n\r\nAccess Points\r\nAireOS Access Points\r\nMeraki Access Points\r\n CVE-2021-27861\r\nCisco has confirmed that this vulnerability does not affect the following Cisco products:\r\n\r\nONT Switches\r\n\r\nCatalyst PON Series Switches\r\n\r\nIOS Switches\r\n\r\nCatalyst 1000 Series Switches\r\nIndustrial Ethernet Switches\r\n\r\nIOS XE Routers\r\n\r\nIOS XE Routers when configured with Ethernet virtual circuits\r\n\r\nIOS XE Software Switches\r\n\r\nCatalyst 3650 Series Switches\r\nCatalyst 3850 Series Switches\r\nCatalyst 4500E and 4500X Series Switches\r\nCatalyst 9000 Series Switches\r\n\r\nMeraki Switches\r\n\r\nGS110 Switches\r\nMS22 Switches\r\nMS42 Switches\r\nMS120 Switches\r\nMS125 Switches\r\nMS220 Switches\r\nMS320 Switches\r\nMS390 Switches\r\n\r\nNX-OS Software\r\n\r\n\r\nMDS 9000 Series Multilayer Switches\r\nNexus 1000V Series Switches\r\nNexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode\r\nUCS 6x00 Series Fabric Interconnects\r\n CVE-2021-27862\r\nCisco has confirmed that this vulnerability does not affect the following Cisco products:\r\n\r\nAccess Points\r\nAireOS Access Points\r\nMeraki Access Points",
"title": "Products Confirmed Not Vulnerable"
},
{
"category": "general",
"text": "The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.\r\n CVE-2021-27853\r\nA vulnerability in the processing of stacked Ethernet tag headers of multiple Cisco products could allow an unauthenticated, adjacent attacker to bypass the FHS feature of an affected device.\r\n\r\nThis vulnerability is due to the platforms forwarding frames when the upper-layer protocol cannot be determined to invoke a Layer 3 FHS feature. An attacker could exploit this vulnerability by sending packets with stacked VLAN Ethernet headers. A successful exploit could allow the attacker to bypass the FHS feature of an affected device.\r\n\r\nCisco has not released software updates that address this vulnerability. There are workarounds that address this vulnerability.\r\n\r\nCVE ID: CVE-2021-27853\r\nSecurity Impact Rating (SIR): Medium\r\nCVSS Base Score: 4.7\r\nCVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N\r\n\r\nCVE-2021-27853: Additional Details\r\n\r\nThe IEEE Std 802.1Q-2018 standard incorporates a priority-tagged frame whose tag header carries priority information but no VLAN identification information. The VLAN identifier is set to 0 and is typically carried in a single 802.1Q header between the source MAC address and the Ethertype/size field.\r\n\r\nIn networks where VLAN tagging is used, there is typically a single 802.1Q header between the source MAC address and the Ethertype/size field. IEEE 802.1AD has double tagging and includes the S-TAG and C-TAG headers between the source MAC address and the Ethertype/size field.\r\n\r\nThe IEEE Std 802.1Q-2018 does not specify that there should be no more than two tags present, but Cisco products have a limit on how many tags can be inspected to establish the upper-layer protocols (determined by the Ethertype field), whether a packet is classified as IPv4 or IPv6, and whether it is subject to additional Layer 3 feature processing. If these things cannot be determined, the packet is forwarded based on the Layer 2 information, depending on the device configuration.\r\n\r\nDepending on the implementation of the next device that receives the frame, the frame may be dropped as invalid or the priority tags may be removed and processed. These actions are dependent on the implementation of the receiving host operating system.\r\n CVE-2021-27853: Cisco Network Operating Systems\r\nThis section provides specific details about how the different affected Cisco network operating systems handle Ethernet frames with a VLAN ID 0 tag.\r\n\r\nCisco IOS Software \u2013 Switches\r\n\r\nBy default, all of the affected Cisco IOS Switches process inbound packets with the frame header that contains a VLAN ID 0 tag. Cisco products have a limit on how many tags can be inspected to establish the upper-layer protocols.\r\n\r\nNote: Cisco IOS Switches that have reached end of life have not been evaluated by the Cisco Product Security Incident Response Team (PSIRT).\r\n\r\nCisco IOS XE Software \u2013 Switches\r\n\r\nBy default, Cisco Catalyst 4500E Series switches process an inbound packet with the frame header that contains a VLAN ID 0 tag. Cisco products have a limit on how many tags can be inspected to establish the upper-layer protocols.\r\n\r\nThe default behavior of a Cisco IOS XE Switch is to drop all traffic that has a frame header that contains a VLAN ID 0 tag. The switch only processes frames with a VLAN ID 0 tag if the access port is configured as follows:\r\n\r\n\r\nswitchport voice vlan dot1p\r\n\r\nCisco IOS XE Software \u2013 Routers\r\n\r\nCisco IOS XE devices that are configured with service instances handle the VLAN ID 0 tag in accordance with their configurations. For VLAN-based services, the top one or two tags are inspected based on configuration and map to the appropriate service instance on the longest match rules.\r\n\r\nService instance-based configurations that contain encapsulation dot1q priority-tagged, encapsulation dot1q priority-tagged exact, or encapsulation default are affected by this vulnerability.\r\n\r\nThe order of matching a service instance for VLAN ID 0 is based on encapsulation dot1q priority-tagged first and then encapsulation default. Cisco IOS XE Software does not match on encapsulation dot1q any for VLAN ID 0 tags.\r\n\r\nCisco IOS XR Software\r\n\r\nCisco IOS XR Software running on Layer 2 Transport interfaces handles a VLAN ID 0 tag in accordance with the configurations applied to the device. For port-based services, the packets are forwarded with no inspection. For VLAN-based services, either the top tag or the top two tags are inspected based on configuration and map to the appropriate attachment circuit based on the longest match rules. Fore more information, see IOS XR L2VPN Services and Features [\"https://www.cisco.com/c/en/us/support/docs/routers/asr-9000-series-aggregation-services-routers/116453-technote-ios-xr-l2vpn-00.html#anc6\"].\r\n\r\nConfigurations that contain encapsulation dot1q priority-tagged, encapsulation dot1q priority-tagged exact, or encapsulation default on Layer 2 Transport VLAN-based configurations are affected by this vulnerability.\r\n\r\nCisco NX-OS Software\r\n\r\nBy default, Cisco NX-OS Software processes an inbound packet with the frame header containing a VLAN ID 0 tag. The initial VLAN ID 0 tag is stripped and then processed in accordance with the rest of the packet contents. Cisco products have a limit on how many tags can be inspected to establish the upper-layer protocols.\r\n\r\nCisco Small Business Switches\r\n\r\nBy default, Cisco Small Business Switches process an inbound packet with the frame header that contains a VLAN ID 0 tag. Cisco products have a limit on how many tags can be inspected to establish the upper-layer protocols.\r\n CVE-2021-27854\r\nCVE-2021-27854 examines the way frames are converted between 802.11 and 802.3 with the injection of VLAN tags in the SNAP headers.\r\n\r\nCisco evaluated this vulnerability for any impact to the security features on wireless access points when handling these frame conversions. Cisco found that no configured FHS features were bypassed.\r\n\r\nCVE ID: CVE-2021-27854\r\nSecurity Impact Rating (SIR): Medium\r\nCVSS Base Score: 4.7\r\nCVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N\r\n CVE-2021-27861\r\nA vulnerability in the Ethernet processing of multiple Cisco products could allow an unauthenticated, adjacent attacker to bypass the FHS feature of an affected device.\r\n\r\nThis vulnerability is due to insufficient validation of SNAP/LLC Ethernet frames. An attacker could exploit this vulnerability by sending packets with a crafted (or not crafted, depending on the product) SNAP/LLC Ethernet header. A successful exploit could allow the attacker to bypass the FHS feature of an affected device.\r\n\r\nCisco has not released software updates that address this vulnerability. There are workarounds that address this vulnerability for some products.\r\n\r\nCVE ID: CVE-2021-27861\r\nSecurity Impact Rating (SIR): Medium\r\nCVSS Base Score: 4.7\r\nCVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N\r\n CVE-2021-27861: Cisco Network Operating Systems\r\nThis section provides specific details about how the different affected Cisco network operating systems handle SNAP/LLC Ethernet frames.\r\n\r\nCisco IOS Software \u2013 Switches\r\n\r\nThe affected Cisco IOS Software products forward SNAP/LLC frames without additional FHS feature inspection.\r\n\r\nCisco IOS XR Software\r\n\r\nThe affected Cisco IOS XR Software products forward SNAP/LLC frames without additional FHS feature inspection.\r\n\r\nCisco NX-OS Software\r\n\r\nThe affected Cisco NX-OS Software products forward SNAP/LLC frames without any additional FHS feature inspection.\r\n\r\nCisco Small Business Switches\r\n\r\nThe affected Cisco Small Business Switches correctly apply FHS features for SNAP/LLC frames with a length field of up to 1,500. However, SNAP/LLC frames with lengths of 1,501 through 1,535 are forwarded without additional FHS feature inspection.\r\n CVE-2021-27862\r\nCVE-2021-27862 examines the way frames are converted between 802.3 to 802.11 and the length field.\r\n\r\nCisco evaluated this vulnerability for any impact to the security features on wireless access points when handling these frame conversions. Cisco found that no configured FHS features were bypassed.\r\n\r\nCVE ID: CVE-2021-27862\r\nSecurity Impact Rating (SIR): Medium\r\nCVSS Base Score: 4.7\r\nCVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"title": "Details"
},
{
"category": "general",
"text": "There are workarounds that address some of these vulnerabilities.\r\n CVE-2021-27853\r\nAdministrators may drop packets that cannot have their ethertype detected using a Layer 2 access control list (ACL) or where tags are not expected to drop tagged traffic. If a single dot1P header is received, it will still be processed correctly if the network operating system supports it.\r\n\r\nThe following are examples of Layer 2 ACLs that could be implemented on access ports where FHS has been configured:\r\n\r\nCisco IOS Software \u2013 Switches\r\n\r\n\r\n!\r\nmac access-list extended CSCwa14271\r\n permit any any 0x86DD 0x0\r\n permit any any 0x800 0x0\r\n permit any any 0x806 0x0\r\n deny any any\r\n!\r\ninterface GigabitEthernet1/0/1\r\n switchport access vlan 5\r\n switchport voice vlan dot1p\r\n ipv6 nd raguard attach-policy HOSTS\r\n mac access-group CSCwa14271 in\r\n!\r\n\r\nCisco IOS XE Software \u2013 Switches\r\n\r\nFor Cisco IOS XE Software on switches, impact to all FHS features occurs on Cisco IOS Software releases 17.6.1 and later, but earlier than the first fixed release. The issue will not be seen if the access port VLAN also has an active switched virtual interface (SVI). If there are access ports in VLAN 5, for example, this issue will be observed only if interface vlan 5 is not configured. To mitigate this issue for vulnerable releases of Cisco IOS Software, administrators can ensure that each VLAN assigned to access ports has a corresponding SVI configured.\r\n\r\nFor Cisco IOS XE Software on switches, Dynamic ARP Inspection is affected on all releases. Administrators can configure static ARP entries for the default gateways and critical servers and hosts off the segments that are being protected to protect the critical assets in the environment.\r\n\r\nCisco IOS XE Software \u2013 Routers\r\n\r\nFor configurations that have a service instance with encapsulation priority-tagged and where the environment needs to examine only the first tag (depending on the platform), administrators can either add the keyword exact after the encapsulation priority-tagged or filter on the ethertype field with encapsulation priority-tagged etype ipv4 , ipv6.\r\n\r\nFor environments that do not have encapsulation priority-tagged assigned to a service instance, to prevent packets that are tagged with dot1p at the front of the headers from being forwarded, administrators can configure a service instance that is not assigned to a bridge domain with encapsulation priority-tagged.\r\n\r\nCisco IOS XR Software\r\n\r\nFor configurations that have an l2transport sub interface configured with encapsulation dot1q|dot1ad priority-tagged and where the environment needs to examine only the first tag (depending on the platform), administrators can add the keyword exact after the encapsulation dot1q|dot1ad priority-tagged.\r\n\r\nFor environments that do not have encapsulation dot1q|dot1ad priority-tagged assigned to an l2transport sub interface, to prevent packets that are tagged with dot1p at the front of the headers from being forwarded, administrators can configure l2transport sub interfaces that are not assigned to a bridge domain with encapsulation dot1q priority-tagged and encapsulation dot1ad priority-tagged.\r\n\r\nCisco NX-OS Software\r\n\r\n\r\n!\r\nmac access-list drop_three_tags\r\n deny any any 0x8100\r\n deny any any 0x88a8\r\n permit any any\r\n!\r\ninterface ethernet 1/4\r\n mac port access-group drop_three_tags\r\n!\r\n\r\n\r\nCisco Small Business Switches\r\n\r\nTo ensure that FHS works correctly on access ports, install a MAC ACL to deny only tagged frames (because they are not to be expected on an access port) or to permit only ARP, IPv4, and IPv6 on all access ports. The following is an example from the Cisco Sx250, 350, and 550 Series Smart Switches and the Cisco Business 250 and 350 Series Smart Switches:\r\n\r\n\r\nmac access-list extended arp-ip-ip6\r\npermit any any 806 0000 ace-priority 1\r\npermit any any 800 0000 ace-priority 2\r\npermit any any 86dd 0000 ace-priority 3\r\n\r\n\r\n CVE-2021-27861\r\nThe principle for mitigating CVE-2021-27861 is to drop any packets that cannot have their Layer 3 protocol detected using a Layer 2 ACL.\r\n\r\nThe following are examples of Layer 2 ACLs that could be implemented on access ports where FHP has been configured:\r\n\r\nCisco IOS Software \u2013 Switches\r\n\r\nNo mitigations or workarounds.\r\n\r\nCisco IOS XR Software\r\n\r\nNo mitigations or workarounds.\r\n\r\nCisco NX-OS Software\r\n\r\n\r\n!\r\ninterface Ethernet1/3\r\n switchport\r\n switchport access vlan 5\r\n mac port access-group drop_non\r\n ipv6 nd raguard attach-policy HOSTS\r\n!\r\ninterface Ethernet1/4\r\n switchport\r\n switchport access vlan 5\r\n mac port access-group drop_non\r\n ipv6 nd raguard attach-policy CSCvw92154\r\n!\r\nmac access-list drop_non\r\n 10 permit any any 0x86dd\r\n 20 permit any any ip\r\n 30 permit any any 0x806\r\n 35 permit any 0100.0ccc.cccc 0000.0000.0000\r\n 40 deny any any\r\n!\r\n\r\nCisco Small Business Switches\r\n\r\nNo mitigations or workarounds.\r\n\r\nWhile these workarounds have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.",
"title": "Workarounds"
},
{
"category": "general",
"text": "When considering software upgrades [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page [\"https://www.cisco.com/go/psirt\"], to determine exposure and a complete upgrade solution.\r\n\r\nIn all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.\r\n Fixed Releases CVE-2021-27853\r\nAt the time of publication, the release information in the following table was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.\r\n Product Cisco Bug ID First Fixed Release Cisco IOS XE Switches CSCvz91291 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz91291\"] 17.6.3\r\n17.8.1 CVE-2021-27854\r\nCisco evaluated this vulnerability based on its impact on FHS features configured on the access points. No impact was observed.\r\n CVE-2021-27861\r\nAt the time of publication, Cisco had not released updates that address this vulnerability for any Cisco product.\r\n CVE-2021-27862\r\nCisco evaluated this vulnerability based on its impact on FHS features configured on the access points. No impact was observed.\r\n\r\nThe Cisco PSIRT validates only the affected and fixed release information that is documented in this advisory.",
"title": "Fixed Software"
},
{
"category": "general",
"text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
"title": "Vulnerability Policy"
},
{
"category": "general",
"text": "The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory.\r\n\r\nThe Cisco PSIRT is not aware of any malicious use of the vulnerabilities that are described in this advisory.",
"title": "Exploitation and Public Announcements"
},
{
"category": "general",
"text": "Cisco would like to thank Etienne Champetier for reporting these vulnerabilities and Cert/CC for the coordination.",
"title": "Source"
},
{
"category": "legal_disclaimer",
"text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.",
"title": "Legal Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "Emergency Support:\r\n+1 877 228 7302 (toll-free within North America)\r\n+1 408 525 6532 (International direct-dial)\r\nNon-emergency Support:\r\nEmail: psirt@cisco.com\r\nSupport requests that are received via e-mail are typically acknowledged within 48 hours.",
"issuing_authority": "Cisco product security incident response is the responsibility of the Cisco Product Security Incident Response Team (PSIRT). The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. The on-call Cisco PSIRT works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks.\r\nMore information can be found in Cisco Security Vulnerability Policy available at https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html",
"name": "Cisco",
"namespace": "https://wwww.cisco.com"
},
"references": [
{
"category": "self",
"summary": "Vulnerabilities in Layer 2 Network Security Controls Affecting Cisco Products: September 2022",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-VU855201-J3z8CKTX"
},
{
"category": "external",
"summary": "Cisco Security Vulnerability Policy",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
},
{
"category": "external",
"summary": "L2 network security controls can be bypassed using VLAN 0 stacking and/or 802.3 headers",
"url": "https://kb.cert.org/vuls/id/855201"
},
{
"category": "external",
"summary": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-VU855201-J3z8CKTX",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-VU855201-J3z8CKTX"
},
{
"category": "external",
"summary": "Cisco\u0026nbsp;Bug Search Tool",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/BUGID"
},
{
"category": "external",
"summary": "CSCwa06145",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa06145"
},
{
"category": "external",
"summary": "CSCwa14942",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa14942"
},
{
"category": "external",
"summary": "CSCvw99743",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw99743"
},
{
"category": "external",
"summary": "CSCwa14271",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa14271"
},
{
"category": "external",
"summary": "CSCwa18093",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa18093"
},
{
"category": "external",
"summary": "CSCvz91291",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz91291"
},
{
"category": "external",
"summary": "CSCwb01481",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb01481"
},
{
"category": "external",
"summary": "CSCvz96133",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz96133"
},
{
"category": "external",
"summary": "CSCvz88705",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz88705"
},
{
"category": "external",
"summary": "CSCvz89602",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz89602"
},
{
"category": "external",
"summary": "CSCvx33758",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx33758"
},
{
"category": "external",
"summary": "CSCvx35087",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx35087"
},
{
"category": "external",
"summary": "CSCvx35085",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx35085"
},
{
"category": "external",
"summary": "CSCvx33758",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx33758"
},
{
"category": "external",
"summary": "CSCvw92154",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw92154"
},
{
"category": "external",
"summary": "Cisco\u0026nbsp;Access Points VLAN Bypass from Native VLAN Vulnerability",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apvlan-TDTtb4FY"
},
{
"category": "external",
"summary": "CSCwa06265",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa06265"
},
{
"category": "external",
"summary": "CSCwa14950",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa14950"
},
{
"category": "external",
"summary": "CSCwa14282",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa14282"
},
{
"category": "external",
"summary": "CSCwa04809",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa04809"
},
{
"category": "external",
"summary": "CSCwa01097",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa01097"
},
{
"category": "external",
"summary": "CSCwa18209",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa18209"
},
{
"category": "external",
"summary": "CSCwa18310",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa18310"
},
{
"category": "external",
"summary": "CSCwa01097",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa01097"
},
{
"category": "external",
"summary": "CSCwa09081",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa09081"
},
{
"category": "external",
"summary": "IOS XR L2VPN Services and Features",
"url": "https://www.cisco.com/c/en/us/support/docs/routers/asr-9000-series-aggregation-services-routers/116453-technote-ios-xr-l2vpn-00.html#anc6"
},
{
"category": "external",
"summary": "considering software upgrades",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"
},
{
"category": "external",
"summary": "Cisco\u0026nbsp;Security Advisories page",
"url": "https://www.cisco.com/go/psirt"
},
{
"category": "external",
"summary": "CSCvz91291",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz91291"
},
{
"category": "external",
"summary": "Security Vulnerability Policy",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
}
],
"title": "Vulnerabilities in Layer 2 Network Security Controls Affecting Cisco Products: September 2022",
"tracking": {
"current_release_date": "2022-10-05T18:16:08+00:00",
"generator": {
"date": "2022-10-22T03:15:47+00:00",
"engine": {
"name": "TVCE"
}
},
"id": "cisco-sa-VU855201-J3z8CKTX",
"initial_release_date": "2022-09-27T16:00:00+00:00",
"revision_history": [
{
"date": "2022-09-27T16:38:06+00:00",
"number": "1.0.0",
"summary": "Initial public release."
},
{
"date": "2022-10-05T18:16:08+00:00",
"number": "1.1.0",
"summary": "Corrected affected product information."
}
],
"status": "final",
"version": "1.1.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_family",
"name": "IOS",
"product": {
"name": "Cisco IOS ",
"product_id": "CSAFPID-2097"
}
},
{
"category": "product_family",
"name": "Cisco IOS XR Software",
"product": {
"name": "Cisco IOS XR Software ",
"product_id": "CSAFPID-5834"
}
},
{
"category": "product_family",
"name": "Cisco NX-OS Software",
"product": {
"name": "Cisco NX-OS Software ",
"product_id": "CSAFPID-80720"
}
},
{
"category": "product_family",
"name": "Cisco IOS XE Software",
"product": {
"name": "Cisco IOS XE Software ",
"product_id": "CSAFPID-93036"
}
},
{
"category": "product_family",
"name": "Cisco Aironet Access Point Software",
"product": {
"name": "Cisco Aironet Access Point Software ",
"product_id": "CSAFPID-190024"
}
},
{
"category": "product_family",
"name": "Cisco Small Business Smart and Managed Switches",
"product": {
"name": "Cisco Small Business Smart and Managed Switches ",
"product_id": "CSAFPID-278027"
}
}
],
"category": "vendor",
"name": "Cisco"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-27862",
"notes": [
{
"category": "other",
"text": "Not available.",
"title": "Affected Product Comprehensiveness"
}
],
"remediations": [
{
"category": "workaround",
"details": "There are workarounds that address some of these vulnerabilities.\r\n CVE-2021-27853\r\nAdministrators may drop packets that cannot have their ethertype detected using a Layer 2 access control list (ACL) or where tags are not expected to drop tagged traffic. If a single dot1P header is received, it will still be processed correctly if the network operating system supports it.\r\n\r\nThe following are examples of Layer 2 ACLs that could be implemented on access ports where FHS has been configured:\r\n\r\nCisco IOS Software \u2013 Switches\r\n\r\n\r\n!\r\nmac access-list extended CSCwa14271\r\n permit any any 0x86DD 0x0\r\n permit any any 0x800 0x0\r\n permit any any 0x806 0x0\r\n deny any any\r\n!\r\ninterface GigabitEthernet1/0/1\r\n switchport access vlan 5\r\n switchport voice vlan dot1p\r\n ipv6 nd raguard attach-policy HOSTS\r\n mac access-group CSCwa14271 in\r\n!\r\n\r\nCisco IOS XE Software \u2013 Switches\r\n\r\nFor Cisco IOS XE Software on switches, impact to all FHS features occurs on Cisco IOS Software releases 17.6.1 and later, but earlier than the first fixed release. The issue will not be seen if the access port VLAN also has an active switched virtual interface (SVI). If there are access ports in VLAN 5, for example, this issue will be observed only if interface vlan 5 is not configured. To mitigate this issue for vulnerable releases of Cisco IOS Software, administrators can ensure that each VLAN assigned to access ports has a corresponding SVI configured.\r\n\r\nFor Cisco IOS XE Software on switches, Dynamic ARP Inspection is affected on all releases. Administrators can configure static ARP entries for the default gateways and critical servers and hosts off the segments that are being protected to protect the critical assets in the environment.\r\n\r\nCisco IOS XE Software \u2013 Routers\r\n\r\nFor configurations that have a service instance with encapsulation priority-tagged and where the environment needs to examine only the first tag (depending on the platform), administrators can either add the keyword exact after the encapsulation priority-tagged or filter on the ethertype field with encapsulation priority-tagged etype ipv4 , ipv6.\r\n\r\nFor environments that do not have encapsulation priority-tagged assigned to a service instance, to prevent packets that are tagged with dot1p at the front of the headers from being forwarded, administrators can configure a service instance that is not assigned to a bridge domain with encapsulation priority-tagged.\r\n\r\nCisco IOS XR Software\r\n\r\nFor configurations that have an l2transport sub interface configured with encapsulation dot1q|dot1ad priority-tagged and where the environment needs to examine only the first tag (depending on the platform), administrators can add the keyword exact after the encapsulation dot1q|dot1ad priority-tagged.\r\n\r\nFor environments that do not have encapsulation dot1q|dot1ad priority-tagged assigned to an l2transport sub interface, to prevent packets that are tagged with dot1p at the front of the headers from being forwarded, administrators can configure l2transport sub interfaces that are not assigned to a bridge domain with encapsulation dot1q priority-tagged and encapsulation dot1ad priority-tagged.\r\n\r\nCisco NX-OS Software\r\n\r\n\r\n!\r\nmac access-list drop_three_tags\r\n deny any any 0x8100\r\n deny any any 0x88a8\r\n permit any any\r\n!\r\ninterface ethernet 1/4\r\n mac port access-group drop_three_tags\r\n!\r\n\r\n\r\nCisco Small Business Switches\r\n\r\nTo ensure that FHS works correctly on access ports, install a MAC ACL to deny only tagged frames (because they are not to be expected on an access port) or to permit only ARP, IPv4, and IPv6 on all access ports. The following is an example from the Cisco Sx250, 350, and 550 Series Smart Switches and the Cisco Business 250 and 350 Series Smart Switches:\r\n\r\n\r\nmac access-list extended arp-ip-ip6\r\npermit any any 806 0000 ace-priority 1\r\npermit any any 800 0000 ace-priority 2\r\npermit any any 86dd 0000 ace-priority 3\r\n\r\n\r\n CVE-2021-27861\r\nThe principle for mitigating CVE-2021-27861 is to drop any packets that cannot have their Layer 3 protocol detected using a Layer 2 ACL.\r\n\r\nThe following are examples of Layer 2 ACLs that could be implemented on access ports where FHP has been configured:\r\n\r\nCisco IOS Software \u2013 Switches\r\n\r\nNo mitigations or workarounds.\r\n\r\nCisco IOS XR Software\r\n\r\nNo mitigations or workarounds.\r\n\r\nCisco NX-OS Software\r\n\r\n\r\n!\r\ninterface Ethernet1/3\r\n switchport\r\n switchport access vlan 5\r\n mac port access-group drop_non\r\n ipv6 nd raguard attach-policy HOSTS\r\n!\r\ninterface Ethernet1/4\r\n switchport\r\n switchport access vlan 5\r\n mac port access-group drop_non\r\n ipv6 nd raguard attach-policy CSCvw92154\r\n!\r\nmac access-list drop_non\r\n 10 permit any any 0x86dd\r\n 20 permit any any ip\r\n 30 permit any any 0x806\r\n 35 permit any 0100.0ccc.cccc 0000.0000.0000\r\n 40 deny any any\r\n!\r\n\r\nCisco Small Business Switches\r\n\r\nNo mitigations or workarounds.\r\n\r\nWhile these workarounds have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment."
}
],
"title": "VU855201: When converting from 802.3 (LLC/SNAP) to 802.11, Linux ignore the length field. "
},
{
"cve": "CVE-2021-27853",
"ids": [
{
"system_name": "Cisco Bug ID",
"text": "CSCvz96133"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwa18093"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCvz91291"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwb01481"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwa14271"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwa06145"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwa14942"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCvw99743"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCvx33758"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCvx35087"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCvx35085"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCvz89602"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCvz88705"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCvw92154"
}
],
"notes": [
{
"category": "other",
"text": "Complete.",
"title": "Affected Product Comprehensiveness"
}
],
"product_status": {
"known_affected": [
"CSAFPID-93036",
"CSAFPID-2097",
"CSAFPID-80720",
"CSAFPID-5834",
"CSAFPID-278027"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Cisco has released software updates that address this vulnerability.",
"product_ids": [
"CSAFPID-93036",
"CSAFPID-80720",
"CSAFPID-278027",
"CSAFPID-2097",
"CSAFPID-5834"
],
"url": "https://software.cisco.com"
},
{
"category": "workaround",
"details": "There are workarounds that address some of these vulnerabilities.\r\n CVE-2021-27853\r\nAdministrators may drop packets that cannot have their ethertype detected using a Layer 2 access control list (ACL) or where tags are not expected to drop tagged traffic. If a single dot1P header is received, it will still be processed correctly if the network operating system supports it.\r\n\r\nThe following are examples of Layer 2 ACLs that could be implemented on access ports where FHS has been configured:\r\n\r\nCisco IOS Software \u2013 Switches\r\n\r\n\r\n!\r\nmac access-list extended CSCwa14271\r\n permit any any 0x86DD 0x0\r\n permit any any 0x800 0x0\r\n permit any any 0x806 0x0\r\n deny any any\r\n!\r\ninterface GigabitEthernet1/0/1\r\n switchport access vlan 5\r\n switchport voice vlan dot1p\r\n ipv6 nd raguard attach-policy HOSTS\r\n mac access-group CSCwa14271 in\r\n!\r\n\r\nCisco IOS XE Software \u2013 Switches\r\n\r\nFor Cisco IOS XE Software on switches, impact to all FHS features occurs on Cisco IOS Software releases 17.6.1 and later, but earlier than the first fixed release. The issue will not be seen if the access port VLAN also has an active switched virtual interface (SVI). If there are access ports in VLAN 5, for example, this issue will be observed only if interface vlan 5 is not configured. To mitigate this issue for vulnerable releases of Cisco IOS Software, administrators can ensure that each VLAN assigned to access ports has a corresponding SVI configured.\r\n\r\nFor Cisco IOS XE Software on switches, Dynamic ARP Inspection is affected on all releases. Administrators can configure static ARP entries for the default gateways and critical servers and hosts off the segments that are being protected to protect the critical assets in the environment.\r\n\r\nCisco IOS XE Software \u2013 Routers\r\n\r\nFor configurations that have a service instance with encapsulation priority-tagged and where the environment needs to examine only the first tag (depending on the platform), administrators can either add the keyword exact after the encapsulation priority-tagged or filter on the ethertype field with encapsulation priority-tagged etype ipv4 , ipv6.\r\n\r\nFor environments that do not have encapsulation priority-tagged assigned to a service instance, to prevent packets that are tagged with dot1p at the front of the headers from being forwarded, administrators can configure a service instance that is not assigned to a bridge domain with encapsulation priority-tagged.\r\n\r\nCisco IOS XR Software\r\n\r\nFor configurations that have an l2transport sub interface configured with encapsulation dot1q|dot1ad priority-tagged and where the environment needs to examine only the first tag (depending on the platform), administrators can add the keyword exact after the encapsulation dot1q|dot1ad priority-tagged.\r\n\r\nFor environments that do not have encapsulation dot1q|dot1ad priority-tagged assigned to an l2transport sub interface, to prevent packets that are tagged with dot1p at the front of the headers from being forwarded, administrators can configure l2transport sub interfaces that are not assigned to a bridge domain with encapsulation dot1q priority-tagged and encapsulation dot1ad priority-tagged.\r\n\r\nCisco NX-OS Software\r\n\r\n\r\n!\r\nmac access-list drop_three_tags\r\n deny any any 0x8100\r\n deny any any 0x88a8\r\n permit any any\r\n!\r\ninterface ethernet 1/4\r\n mac port access-group drop_three_tags\r\n!\r\n\r\n\r\nCisco Small Business Switches\r\n\r\nTo ensure that FHS works correctly on access ports, install a MAC ACL to deny only tagged frames (because they are not to be expected on an access port) or to permit only ARP, IPv4, and IPv6 on all access ports. The following is an example from the Cisco Sx250, 350, and 550 Series Smart Switches and the Cisco Business 250 and 350 Series Smart Switches:\r\n\r\n\r\nmac access-list extended arp-ip-ip6\r\npermit any any 806 0000 ace-priority 1\r\npermit any any 800 0000 ace-priority 2\r\npermit any any 86dd 0000 ace-priority 3\r\n\r\n\r\n CVE-2021-27861\r\nThe principle for mitigating CVE-2021-27861 is to drop any packets that cannot have their Layer 3 protocol detected using a Layer 2 ACL.\r\n\r\nThe following are examples of Layer 2 ACLs that could be implemented on access ports where FHP has been configured:\r\n\r\nCisco IOS Software \u2013 Switches\r\n\r\nNo mitigations or workarounds.\r\n\r\nCisco IOS XR Software\r\n\r\nNo mitigations or workarounds.\r\n\r\nCisco NX-OS Software\r\n\r\n\r\n!\r\ninterface Ethernet1/3\r\n switchport\r\n switchport access vlan 5\r\n mac port access-group drop_non\r\n ipv6 nd raguard attach-policy HOSTS\r\n!\r\ninterface Ethernet1/4\r\n switchport\r\n switchport access vlan 5\r\n mac port access-group drop_non\r\n ipv6 nd raguard attach-policy CSCvw92154\r\n!\r\nmac access-list drop_non\r\n 10 permit any any 0x86dd\r\n 20 permit any any ip\r\n 30 permit any any 0x806\r\n 35 permit any 0100.0ccc.cccc 0000.0000.0000\r\n 40 deny any any\r\n!\r\n\r\nCisco Small Business Switches\r\n\r\nNo mitigations or workarounds.\r\n\r\nWhile these workarounds have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.",
"product_ids": [
"CSAFPID-93036",
"CSAFPID-2097",
"CSAFPID-80720",
"CSAFPID-5834",
"CSAFPID-278027"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-93036",
"CSAFPID-2097",
"CSAFPID-80720",
"CSAFPID-5834",
"CSAFPID-278027"
]
}
],
"title": "VU855201: 802.1Q VID0 Headers can bypass First Hop Security Affecting Cisco Products"
},
{
"cve": "CVE-2021-27861",
"ids": [
{
"system_name": "Cisco Bug ID",
"text": "CSCwa18209"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwa01097"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwa18310"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwa14282"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwa14950"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwa06265"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwa09081"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwa04809"
}
],
"notes": [
{
"category": "other",
"text": "Complete.",
"title": "Affected Product Comprehensiveness"
}
],
"product_status": {
"known_affected": [
"CSAFPID-80720",
"CSAFPID-2097",
"CSAFPID-278027",
"CSAFPID-5834"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Cisco has released software updates that address this vulnerability.",
"product_ids": [
"CSAFPID-80720",
"CSAFPID-278027",
"CSAFPID-2097",
"CSAFPID-5834"
],
"url": "https://software.cisco.com"
},
{
"category": "workaround",
"details": "There are workarounds that address some of these vulnerabilities.\r\n CVE-2021-27853\r\nAdministrators may drop packets that cannot have their ethertype detected using a Layer 2 access control list (ACL) or where tags are not expected to drop tagged traffic. If a single dot1P header is received, it will still be processed correctly if the network operating system supports it.\r\n\r\nThe following are examples of Layer 2 ACLs that could be implemented on access ports where FHS has been configured:\r\n\r\nCisco IOS Software \u2013 Switches\r\n\r\n\r\n!\r\nmac access-list extended CSCwa14271\r\n permit any any 0x86DD 0x0\r\n permit any any 0x800 0x0\r\n permit any any 0x806 0x0\r\n deny any any\r\n!\r\ninterface GigabitEthernet1/0/1\r\n switchport access vlan 5\r\n switchport voice vlan dot1p\r\n ipv6 nd raguard attach-policy HOSTS\r\n mac access-group CSCwa14271 in\r\n!\r\n\r\nCisco IOS XE Software \u2013 Switches\r\n\r\nFor Cisco IOS XE Software on switches, impact to all FHS features occurs on Cisco IOS Software releases 17.6.1 and later, but earlier than the first fixed release. The issue will not be seen if the access port VLAN also has an active switched virtual interface (SVI). If there are access ports in VLAN 5, for example, this issue will be observed only if interface vlan 5 is not configured. To mitigate this issue for vulnerable releases of Cisco IOS Software, administrators can ensure that each VLAN assigned to access ports has a corresponding SVI configured.\r\n\r\nFor Cisco IOS XE Software on switches, Dynamic ARP Inspection is affected on all releases. Administrators can configure static ARP entries for the default gateways and critical servers and hosts off the segments that are being protected to protect the critical assets in the environment.\r\n\r\nCisco IOS XE Software \u2013 Routers\r\n\r\nFor configurations that have a service instance with encapsulation priority-tagged and where the environment needs to examine only the first tag (depending on the platform), administrators can either add the keyword exact after the encapsulation priority-tagged or filter on the ethertype field with encapsulation priority-tagged etype ipv4 , ipv6.\r\n\r\nFor environments that do not have encapsulation priority-tagged assigned to a service instance, to prevent packets that are tagged with dot1p at the front of the headers from being forwarded, administrators can configure a service instance that is not assigned to a bridge domain with encapsulation priority-tagged.\r\n\r\nCisco IOS XR Software\r\n\r\nFor configurations that have an l2transport sub interface configured with encapsulation dot1q|dot1ad priority-tagged and where the environment needs to examine only the first tag (depending on the platform), administrators can add the keyword exact after the encapsulation dot1q|dot1ad priority-tagged.\r\n\r\nFor environments that do not have encapsulation dot1q|dot1ad priority-tagged assigned to an l2transport sub interface, to prevent packets that are tagged with dot1p at the front of the headers from being forwarded, administrators can configure l2transport sub interfaces that are not assigned to a bridge domain with encapsulation dot1q priority-tagged and encapsulation dot1ad priority-tagged.\r\n\r\nCisco NX-OS Software\r\n\r\n\r\n!\r\nmac access-list drop_three_tags\r\n deny any any 0x8100\r\n deny any any 0x88a8\r\n permit any any\r\n!\r\ninterface ethernet 1/4\r\n mac port access-group drop_three_tags\r\n!\r\n\r\n\r\nCisco Small Business Switches\r\n\r\nTo ensure that FHS works correctly on access ports, install a MAC ACL to deny only tagged frames (because they are not to be expected on an access port) or to permit only ARP, IPv4, and IPv6 on all access ports. The following is an example from the Cisco Sx250, 350, and 550 Series Smart Switches and the Cisco Business 250 and 350 Series Smart Switches:\r\n\r\n\r\nmac access-list extended arp-ip-ip6\r\npermit any any 806 0000 ace-priority 1\r\npermit any any 800 0000 ace-priority 2\r\npermit any any 86dd 0000 ace-priority 3\r\n\r\n\r\n CVE-2021-27861\r\nThe principle for mitigating CVE-2021-27861 is to drop any packets that cannot have their Layer 3 protocol detected using a Layer 2 ACL.\r\n\r\nThe following are examples of Layer 2 ACLs that could be implemented on access ports where FHP has been configured:\r\n\r\nCisco IOS Software \u2013 Switches\r\n\r\nNo mitigations or workarounds.\r\n\r\nCisco IOS XR Software\r\n\r\nNo mitigations or workarounds.\r\n\r\nCisco NX-OS Software\r\n\r\n\r\n!\r\ninterface Ethernet1/3\r\n switchport\r\n switchport access vlan 5\r\n mac port access-group drop_non\r\n ipv6 nd raguard attach-policy HOSTS\r\n!\r\ninterface Ethernet1/4\r\n switchport\r\n switchport access vlan 5\r\n mac port access-group drop_non\r\n ipv6 nd raguard attach-policy CSCvw92154\r\n!\r\nmac access-list drop_non\r\n 10 permit any any 0x86dd\r\n 20 permit any any ip\r\n 30 permit any any 0x806\r\n 35 permit any 0100.0ccc.cccc 0000.0000.0000\r\n 40 deny any any\r\n!\r\n\r\nCisco Small Business Switches\r\n\r\nNo mitigations or workarounds.\r\n\r\nWhile these workarounds have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.",
"product_ids": [
"CSAFPID-80720",
"CSAFPID-2097",
"CSAFPID-278027",
"CSAFPID-5834"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-80720",
"CSAFPID-2097",
"CSAFPID-278027",
"CSAFPID-5834"
]
}
],
"title": "VU855201: SNAP/LLC Headers can bypass First Hop Security Affecting Cisco Products"
},
{
"cve": "CVE-2021-27854",
"ids": [
{
"system_name": "Cisco Bug ID",
"text": "CSCvx37987"
}
],
"notes": [
{
"category": "other",
"text": "Complete.",
"title": "Affected Product Comprehensiveness"
}
],
"product_status": {
"known_affected": [
"CSAFPID-190024"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Cisco has released software updates that address this vulnerability.",
"product_ids": [
"CSAFPID-190024"
],
"url": "https://software.cisco.com"
},
{
"category": "workaround",
"details": "There are workarounds that address some of these vulnerabilities.\r\n CVE-2021-27853\r\nAdministrators may drop packets that cannot have their ethertype detected using a Layer 2 access control list (ACL) or where tags are not expected to drop tagged traffic. If a single dot1P header is received, it will still be processed correctly if the network operating system supports it.\r\n\r\nThe following are examples of Layer 2 ACLs that could be implemented on access ports where FHS has been configured:\r\n\r\nCisco IOS Software \u2013 Switches\r\n\r\n\r\n!\r\nmac access-list extended CSCwa14271\r\n permit any any 0x86DD 0x0\r\n permit any any 0x800 0x0\r\n permit any any 0x806 0x0\r\n deny any any\r\n!\r\ninterface GigabitEthernet1/0/1\r\n switchport access vlan 5\r\n switchport voice vlan dot1p\r\n ipv6 nd raguard attach-policy HOSTS\r\n mac access-group CSCwa14271 in\r\n!\r\n\r\nCisco IOS XE Software \u2013 Switches\r\n\r\nFor Cisco IOS XE Software on switches, impact to all FHS features occurs on Cisco IOS Software releases 17.6.1 and later, but earlier than the first fixed release. The issue will not be seen if the access port VLAN also has an active switched virtual interface (SVI). If there are access ports in VLAN 5, for example, this issue will be observed only if interface vlan 5 is not configured. To mitigate this issue for vulnerable releases of Cisco IOS Software, administrators can ensure that each VLAN assigned to access ports has a corresponding SVI configured.\r\n\r\nFor Cisco IOS XE Software on switches, Dynamic ARP Inspection is affected on all releases. Administrators can configure static ARP entries for the default gateways and critical servers and hosts off the segments that are being protected to protect the critical assets in the environment.\r\n\r\nCisco IOS XE Software \u2013 Routers\r\n\r\nFor configurations that have a service instance with encapsulation priority-tagged and where the environment needs to examine only the first tag (depending on the platform), administrators can either add the keyword exact after the encapsulation priority-tagged or filter on the ethertype field with encapsulation priority-tagged etype ipv4 , ipv6.\r\n\r\nFor environments that do not have encapsulation priority-tagged assigned to a service instance, to prevent packets that are tagged with dot1p at the front of the headers from being forwarded, administrators can configure a service instance that is not assigned to a bridge domain with encapsulation priority-tagged.\r\n\r\nCisco IOS XR Software\r\n\r\nFor configurations that have an l2transport sub interface configured with encapsulation dot1q|dot1ad priority-tagged and where the environment needs to examine only the first tag (depending on the platform), administrators can add the keyword exact after the encapsulation dot1q|dot1ad priority-tagged.\r\n\r\nFor environments that do not have encapsulation dot1q|dot1ad priority-tagged assigned to an l2transport sub interface, to prevent packets that are tagged with dot1p at the front of the headers from being forwarded, administrators can configure l2transport sub interfaces that are not assigned to a bridge domain with encapsulation dot1q priority-tagged and encapsulation dot1ad priority-tagged.\r\n\r\nCisco NX-OS Software\r\n\r\n\r\n!\r\nmac access-list drop_three_tags\r\n deny any any 0x8100\r\n deny any any 0x88a8\r\n permit any any\r\n!\r\ninterface ethernet 1/4\r\n mac port access-group drop_three_tags\r\n!\r\n\r\n\r\nCisco Small Business Switches\r\n\r\nTo ensure that FHS works correctly on access ports, install a MAC ACL to deny only tagged frames (because they are not to be expected on an access port) or to permit only ARP, IPv4, and IPv6 on all access ports. The following is an example from the Cisco Sx250, 350, and 550 Series Smart Switches and the Cisco Business 250 and 350 Series Smart Switches:\r\n\r\n\r\nmac access-list extended arp-ip-ip6\r\npermit any any 806 0000 ace-priority 1\r\npermit any any 800 0000 ace-priority 2\r\npermit any any 86dd 0000 ace-priority 3\r\n\r\n\r\n CVE-2021-27861\r\nThe principle for mitigating CVE-2021-27861 is to drop any packets that cannot have their Layer 3 protocol detected using a Layer 2 ACL.\r\n\r\nThe following are examples of Layer 2 ACLs that could be implemented on access ports where FHP has been configured:\r\n\r\nCisco IOS Software \u2013 Switches\r\n\r\nNo mitigations or workarounds.\r\n\r\nCisco IOS XR Software\r\n\r\nNo mitigations or workarounds.\r\n\r\nCisco NX-OS Software\r\n\r\n\r\n!\r\ninterface Ethernet1/3\r\n switchport\r\n switchport access vlan 5\r\n mac port access-group drop_non\r\n ipv6 nd raguard attach-policy HOSTS\r\n!\r\ninterface Ethernet1/4\r\n switchport\r\n switchport access vlan 5\r\n mac port access-group drop_non\r\n ipv6 nd raguard attach-policy CSCvw92154\r\n!\r\nmac access-list drop_non\r\n 10 permit any any 0x86dd\r\n 20 permit any any ip\r\n 30 permit any any 0x806\r\n 35 permit any 0100.0ccc.cccc 0000.0000.0000\r\n 40 deny any any\r\n!\r\n\r\nCisco Small Business Switches\r\n\r\nNo mitigations or workarounds.\r\n\r\nWhile these workarounds have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.",
"product_ids": [
"CSAFPID-190024"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-190024"
]
}
],
"title": "VU855201: 802.3/802.11 frame conversion can bypass First Hop Security Affecting Cisco Products"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.