Four vulnerabilities in the widely adopted ‘Stacked VLAN’ Ethernet feature allows attackers to perform denial-of-service (DoS) or man-in-the-middle (MitM) attacks against network targets using custom-crafted packets.
Stacked VLANs, also known as VLAN Stacking, is a feature in modern routers and switches that allows companies to encapsulate multiple VLAN IDs into a single VLAN connection shared with an upstream provider.
“With stacked VLANs, service providers can use a unique VLAN (called a service-provider VLAN ID, or SP-VLAN ID) to support customers who have multiple VLANs. Customer VLAN IDs (CE-VLAN IDs) are preserved and traffic from different customers is segregated within the service-provider infrastructure even when they appear to be on the same VLAN,” explains Cisco’s documentation on the feature.
The CERT Coordination Center disclosed the flaws yesterday after giving device vendors time to investigate, respond, and release security updates.
The vulnerabilities affect networking devices such as switches, routers, and operating systems that use Layer-2 (L2) security controls to filter traffic for virtual network isolation.
Cisco and Juniper Networks have confirmed that some of their products are impacted by the flaws, but numerous device vendors haven’t concluded their investigation; hence the overall impact remains unknown.
Problem details and implications
The vulnerabilities exist in the Ethernet encapsulation protocols that allow the stacking of Virtual Local Area Network (VLAN) headers.
An unauthenticated, adjacent attacker can use a combination of VLAN and LLC/SNAP headers to bypass L2 network filtering protections such as IPv6 RA guard, dynamic ARP inspection, IPv6 neighbor discovery protection, and DHCP snooping.
The four vulnerabilities are:
CVE-2021-27853 Layer 2 network filtering capabilities such as IPv6 RA guard or ARP inspection can be bypassed using combinations of VLAN 0 headers and LLC/SNAP headers.
CVE-2021-27854 Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using combinations of VLAN 0 headers, LLC/SNAP headers in Ethernet to Wifi frame translation, and the reverse Wifi to Ethernet.
CVE-2021-27861 Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length (and optionally VLAN0 headers).
CVE-2021-27862 Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length and Ethernet to Wifi frame conversion (and optionally VLAN0 headers).
By exploiting any of these flaws independently, an attacker can deceive the target device to route traffic to arbitrary destinations.
“An attacker can send crafted packets through vulnerable devices to cause Denial-of-service (DoS) or to perform a man-in-the-middle (MitM) attack against a target network,” warns the CERT Coordination Center.
The latter is the more severe scenario, as the attacker could observe network traffic and access sensitive information if the data is not encrypted.
One thing to note is that in modern cloud-based virtualization and virtual networking products, the L2 network capability extends beyond LAN, so the exposure of these flaws could be extended to the internet.
Mitigations and patches
Juniper Networks confirmed that CVE-2021-27853 and CVE-2021-27854 impact some of its products and released security updates on August 25, 2022.
The company hasn’t released a security bulletin about the issues, so all customers are advised to apply security updates to their devices.
Cisco released a security bulletin yesterday confirming that many of its network products are impacted by CVE-2021-27853 and CVE-2021-27861.
The affected products include switches, routers, and software, but fixes for most of them won’t be made available according to the tables in the advisory.
Also, end-of-life products have not been evaluated against the flaws, so they may as well be considered vulnerable and replaced as soon as possible.
All network admins are advised to scrutinize and limit the protocol used on access ports, enable all available interface security controls, inspect and block router advertisements, and apply vendor security updates as soon as they become available.