On September 27, 2022, the following vulnerabilities affecting Cisco products were disclosed by Cert/CC as part of VU855201, titled L2 network security controls can be bypassed using VLAN 0 stacking and/or 802.3 headers: CVE-2021-27853: Layer 2 network filtering capabilities such as IPv6 RA guard or ARP inspection can be bypassed using a combination of VLAN 0 headers and LLC/SNAP headers. CVE-2021-27854: Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using a combination of VLAN 0 headers, LLC/SNAP headers in Ethernet to Wifi frame translation, and in the reverse-Wifi to Ethernet. CVE-2021-27861: Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length (and optionally VLAN0 headers). CVE-2021-27862: Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length and Ethernet to Wifi frame conversion (and optionally VLAN0 headers). Exploitation of these vulnerabilities could allow an adjacent attacker to bypass configured first-hop security (FHS) features on the affected Cisco products. For more information about these vulnerabilities, see the Details section of this advisory. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-VU855201-J3z8CKTX
On September 27, 2022, the following vulnerabilities affecting Cisco products were disclosed by Cert/CC as part of VU855201, titled L2 network security controls can be bypassed using VLAN 0 stacking and/or 802.3 headers:
Exploitation of these vulnerabilities could allow an adjacent attacker to bypass configured first-hop security (FHS) features on the affected Cisco products.
For more information about these vulnerabilities, see the Details section of this advisory.
This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-VU855201-J3z8CKTX
The Vulnerable Products section includes Cisco bug IDs for each affected product. The bugs are accessible through the Cisco Bug Search Tool and will contain additional platform-specific information, including workarounds (if available) and fixed software releases (if available).
Any product or service not listed in the Vulnerable Products section of this advisory is to be considered not vulnerable.
The following table lists Cisco products that are affected by the vulnerability that is described in CVE-2021-27853. See the Details section of this advisory for more information about affected configurations.
Note: End of life products have not been evaluated.
| Cisco Product | Cisco Bug ID | Additional Information |
|---|---|---|
| Cisco IOS Software - Switches | ||
| Catalyst 6500 and 6800 Series Switches | CSCwa06145 | Fixed software will not be made available. |
| Catalyst Digital Building Series Switches | CSCwa14942 | Fixed software will not be made available. |
| Industrial Ethernet Switches | CSCvw99743 | Fixed software will not be made available. |
| Micro Switches | CSCwa14271 | Fixed software will not be made available. |
| Cisco IOS XE Software - Switches | ||
| Catalyst 4500 IOS-XE Switches | CSCwa18093 | Fixed software will not be made available. |
| IOS XE Switches | CSCvz91291 CSCwb01481 |
CSCvz91291 affects Cisco IOS XE Software releases 17.6.1 and later. A fix is available for all FHS features except Dynamic ARP inspection. CSCwb01481 is relevant for Dynamic ARP Inspection and impacts all releases. Fixed Software will not be made available. |
| Cisco IOS XE Software - Routers | ||
| IOS XE Routers configured with Ethernet virtual circuits | CSCvz96133 | Fixed software will not be made available. |
| Cisco IOS XR Software | ||
| IOS XR Routers configured with L2 Transport services | CSCvz88705 CSCvz89602 |
Fixed software will not be made available. |
| Cisco Meraki - Switches | ||
| MS390 | N/A | Impact is only for Dynamic ARP Inspection. Fixed software will not be made available. |
| MS210 MS225 MS250 MS350 MS355 MS410 MS420 MS425 MS450 |
N/A | Fixed software will not be made available. |
| Cisco NX-OS Software | ||
| Nexus 3000 Series Switches | CSCvx33758 | Fixed software will not be made available. |
| Nexus 5500 Platform Switches Nexus 5600 Platform Switches Nexus 6000 Series Switches |
CSCvx35087 | Fixed software will not be made available. |
| Nexus 7000 Series Switches | CSCvx35085 | Fixed software will not be made available. |
| Nexus 9000 Series Switches (Standalone Mode) | CSCvx33758 | Fixed software will not be made available. |
| Cisco Small Business Switches | ||
| 250 Series Smart Switches 350 Series Managed Switches 350X Series Stackable Managed Switches 550X Series Stackable Managed Switches Business 250 Series Smart Switches Business 350 Series Managed Switches |
CSCvw92154 | Fixed software will not be made available. |
Cisco Access Points
Cisco evaluated this vulnerability based on its impact on FHS features that are configured on Cisco Access Points. No impact was observed.
As part of the investigation into the impact to Cisco Access Points, another vulnerability was found, and a companion advisory has been published: Cisco Access Points VLAN Bypass from Native VLAN Vulnerability.
The following table lists Cisco products that are affected by the vulnerability that is described in CVE-2021-27861. See the Details section of this advisory for more information about affected configurations.
Note: End of life products have not been evaluated.
| Cisco Product | Cisco Bug ID | Additional Information |
|---|---|---|
| Cisco IOS Software - Switches | ||
| Catalyst 6500 and 6800 Series Switches | CSCwa06265 | Fixed software will not be made available. |
| Catalyst Digital Building Series Switches | CSCwa14950 | Fixed software will not be made available. |
| Micro Switches | CSCwa14282 | Fixed software will not be made available. |
| Cisco IOS XR Software | ||
| IOS XR Routers configured with L2 Transport services | CSCwa04809 | Fixed software will not be made available. |
| Cisco Meraki - Switches | ||
| MS210 MS225 MS250 MS350 MS355 MS410 MS420 MS425 MS450 |
N/A | Fixed software will not be made available. |
| Cisco NX-OS Software | ||
| Nexus 3000 Series Switches | CSCwa01097 | Fixed software will not be made available. |
| Nexus 5500 Platform Switches Nexus 5600 Platform Switches Nexus 6000 Series Switches |
CSCwa18209 | Fixed software will not be made available. |
| Nexus 7000 Series Switches | CSCwa18310 | Fixed software will not be made available. |
| Nexus 9000 Series Switches (Standalone Mode) | CSCwa01097 | Fixed software will not be made available. |
| Cisco Small Business Switches | ||
| 250 Series Smart Switches 350 Series Managed Switches 350X Series Stackable Managed Switches 550X Series Stackable Managed Switches Business 250 Series Smart Switches Business 350 Series Managed Switches |
CSCwa09081 | Fixed software will not be made available. |
Cisco evaluated this vulnerability based on its impact on FHS features that are configured on Cisco Access points. No impact was observed.
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
ONT Switches
IOS Switches
IOS XE Platforms
NX-OS Software
Meraki Switches
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
ONT Switches
IOS Switches
IOS XE Routers
IOS XE Software Switches
Meraki Switches
NX-OS Software
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.
A vulnerability in the processing of stacked Ethernet tag headers of multiple Cisco products could allow an unauthenticated, adjacent attacker to bypass the FHS feature of an affected device.
This vulnerability is due to the platforms forwarding frames when the upper-layer protocol cannot be determined to invoke a Layer 3 FHS feature. An attacker could exploit this vulnerability by sending packets with stacked VLAN Ethernet headers. A successful exploit could allow the attacker to bypass the FHS feature of an affected device.
Cisco has not released software updates that address this vulnerability. There are workarounds that address this vulnerability.
CVE ID: CVE-2021-27853
Security Impact Rating (SIR): Medium
CVSS Base Score: 4.7
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
CVE-2021-27853: Additional Details
The IEEE Std 802.1Q-2018 standard incorporates a priority-tagged frame whose tag header carries priority information but no VLAN identification information. The VLAN identifier is set to 0 and is typically carried in a single 802.1Q header between the source MAC address and the Ethertype/size field.
In networks where VLAN tagging is used, there is typically a single 802.1Q header between the source MAC address and the Ethertype/size field. IEEE 802.1AD has double tagging and includes the S-TAG and C-TAG headers between the source MAC address and the Ethertype/size field.
The IEEE Std 802.1Q-2018 does not specify that there should be no more than two tags present, but Cisco products have a limit on how many tags can be inspected to establish the upper-layer protocols (determined by the Ethertype field), whether a packet is classified as IPv4 or IPv6, and whether it is subject to additional Layer 3 feature processing. If these things cannot be determined, the packet is forwarded based on the Layer 2 information, depending on the device configuration.
Depending on the implementation of the next device that receives the frame, the frame may be dropped as invalid or the priority tags may be removed and processed. These actions are dependent on the implementation of the receiving host operating system.
This section provides specific details about how the different affected Cisco network operating systems handle Ethernet frames with a VLAN ID 0 tag.
Cisco IOS Software - Switches
By default, all of the affected Cisco IOS Switches process inbound packets with the frame header that contains a VLAN ID 0 tag. Cisco products have a limit on how many tags can be inspected to establish the upper-layer protocols.
Note: Cisco IOS Switches that have reached end of life have not been evaluated by the Cisco Product Security Incident Response Team (PSIRT).
Cisco IOS XE Software - Switches
By default, Cisco Catalyst 4500E Series switches process an inbound packet with the frame header that contains a VLAN ID 0 tag. Cisco products have a limit on how many tags can be inspected to establish the upper-layer protocols.
The default behavior of a Cisco IOS XE Switch is to drop all traffic that has a frame header that contains a VLAN ID 0 tag. The switch only processes frames with a VLAN ID 0 tag if the access port is configured as follows:
switchport voice vlan dot1p
Cisco IOS XE Software - Routers
Cisco IOS XE devices that are configured with service instances handle the VLAN ID 0 tag in accordance with their configurations. For VLAN-based services, the top one or two tags are inspected based on configuration and map to the appropriate service instance on the longest match rules.
Service instance-based configurations that contain encapsulation dot1q priority-tagged, encapsulation dot1q priority-tagged exact, or encapsulation default are affected by this vulnerability.
The order of matching a service instance for VLAN ID 0 is based on encapsulation dot1q priority-tagged first and then encapsulation default. Cisco IOS XE Software does not match on encapsulation dot1q any for VLAN ID 0 tags.
Cisco IOS XR Software
Cisco IOS XR Software running on Layer 2 Transport interfaces handles a VLAN ID 0 tag in accordance with the configurations applied to the device. For port-based services, the packets are forwarded with no inspection. For VLAN-based services, either the top tag or the top two tags are inspected based on configuration and map to the appropriate attachment circuit based on the longest match rules. Fore more information, see IOS XR L2VPN Services and Features.
Configurations that contain encapsulation dot1q priority-tagged, encapsulation dot1q priority-tagged exact, or encapsulation default on Layer 2 Transport VLAN-based configurations are affected by this vulnerability.
Cisco NX-OS Software
By default, Cisco NX-OS Software processes an inbound packet with the frame header containing a VLAN ID 0 tag. The initial VLAN ID 0 tag is stripped and then processed in accordance with the rest of the packet contents. Cisco products have a limit on how many tags can be inspected to establish the upper-layer protocols.
Cisco Small Business Switches
By default, Cisco Small Business Switches process an inbound packet with the frame header that contains a VLAN ID 0 tag. Cisco products have a limit on how many tags can be inspected to establish the upper-layer protocols.
CVE-2021-27854 examines the way frames are converted between 802.11 and 802.3 with the injection of VLAN tags in the SNAP headers.
Cisco evaluated this vulnerability for any impact to the security features on wireless access points when handling these frame conversions. Cisco found that no configured FHS features were bypassed.
CVE ID: CVE-2021-27854
Security Impact Rating (SIR): Medium
CVSS Base Score: 4.7
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
A vulnerability in the Ethernet processing of multiple Cisco products could allow an unauthenticated, adjacent attacker to bypass the FHS feature of an affected device.
This vulnerability is due to insufficient validation of SNAP/LLC Ethernet frames. An attacker could exploit this vulnerability by sending packets with a crafted (or not crafted, depending on the product) SNAP/LLC Ethernet header. A successful exploit could allow the attacker to bypass the FHS feature of an affected device.
Cisco has not released software updates that address this vulnerability. There are workarounds that address this vulnerability for some products.
CVE ID: CVE-2021-27861
Security Impact Rating (SIR): Medium
CVSS Base Score: 4.7
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
This section provides specific details about how the different affected Cisco network operating systems handle SNAP/LLC Ethernet frames.
Cisco IOS Software - Switches
The affected Cisco IOS Software products forward SNAP/LLC frames without additional FHS feature inspection.
Cisco IOS XR Software
The affected Cisco IOS XR Software products forward SNAP/LLC frames without additional FHS feature inspection.
Cisco NX-OS Software
The affected Cisco NX-OS Software products forward SNAP/LLC frames without any additional FHS feature inspection.
Cisco Small Business Switches
The affected Cisco Small Business Switches correctly apply FHS features for SNAP/LLC frames with a length field of up to 1,500. However, SNAP/LLC frames with lengths of 1,501 through 1,535 are forwarded without additional FHS feature inspection.
CVE-2021-27862 examines the way frames are converted between 802.3 to 802.11 and the length field.
Cisco evaluated this vulnerability for any impact to the security features on wireless access points when handling these frame conversions. Cisco found that no configured FHS features were bypassed.
CVE ID: CVE-2021-27862
Security Impact Rating (SIR): Medium
CVSS Base Score: 4.7
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
There are workarounds that address some of these vulnerabilities.
Administrators may drop packets that cannot have their ethertype detected using a Layer 2 access control list (ACL) or where tags are not expected to drop tagged traffic. If a single dot1P header is received, it will still be processed correctly if the network operating system supports it.
The following are examples of Layer 2 ACLs that could be implemented on access ports where FHS has been configured:
Cisco IOS Software - Switches
!
mac access-list extended CSCwa14271
permit any any 0x86DD 0x0
permit any any 0x800 0x0
permit any any 0x806 0x0
deny any any
!
interface GigabitEthernet1/0/1
switchport access vlan 5
switchport voice vlan dot1p
ipv6 nd raguard attach-policy HOSTS
mac access-group CSCwa14271 in
!
Cisco IOS XE Software - Switches
For Cisco IOS XE Software on switches, impact to all FHS features occurs on Cisco IOS Software releases 17.6.1 and later, but earlier than the first fixed release. The issue will not be seen if the access port VLAN also has an active switched virtual interface (SVI). If there are access ports in VLAN 5, for example, this issue will be observed only if interface vlan 5 is not configured. To mitigate this issue for vulnerable releases of Cisco IOS Software, administrators can ensure that each VLAN assigned to access ports has a corresponding SVI configured.
For Cisco IOS XE Software on switches, Dynamic ARP Inspection is affected on all releases. Administrators can configure static ARP entries for the default gateways and critical servers and hosts off the segments that are being protected to protect the critical assets in the environment.
Cisco IOS XE Software - Routers
For configurations that have a service instance with encapsulation priority-tagged and where the environment needs to examine only the first tag (depending on the platform), administrators can either add the keyword exact after the encapsulation priority-tagged or filter on the ethertype field with encapsulation priority-tagged etype ipv4 , ipv6.
For environments that do not have encapsulation priority-tagged assigned to a service instance, to prevent packets that are tagged with dot1p at the front of the headers from being forwarded, administrators can configure a service instance that is not assigned to a bridge domain with encapsulation priority-tagged.
Cisco IOS XR Software
For configurations that have an l2transport sub interface configured with encapsulation dot1q|dot1ad priority-tagged and where the environment needs to examine only the first tag (depending on the platform), administrators can add the keyword exact after the encapsulation dot1q|dot1ad priority-tagged.
For environments that do not have encapsulation dot1q|dot1ad priority-tagged assigned to an l2transport sub interface, to prevent packets that are tagged with dot1p at the front of the headers from being forwarded, administrators can configure l2transport sub interfaces that are not assigned to a bridge domain with encapsulation dot1q priority-tagged and encapsulation dot1ad priority-tagged.
Cisco NX-OS Software
!
mac access-list drop_three_tags
deny any any 0x8100
deny any any 0x88a8
permit any any
!
interface ethernet 1/4
mac port access-group drop_three_tags
!
Cisco Small Business Switches
To ensure that FHS works correctly on access ports, install a MAC ACL to deny only tagged frames (because they are not to be expected on an access port) or to permit only ARP, IPv4, and IPv6 on all access ports. The following is an example from the Cisco Sx250, 350, and 550 Series Smart Switches and the Cisco Business 250 and 350 Series Smart Switches:
mac access-list extended arp-ip-ip6
permit any any 806 0000 ace-priority 1
permit any any 800 0000 ace-priority 2
permit any any 86dd 0000 ace-priority 3
The principle for mitigating CVE-2021-27861 is to drop any packets that cannot have their Layer 3 protocol detected using a Layer 2 ACL.
The following are examples of Layer 2 ACLs that could be implemented on access ports where FHP has been configured:
Cisco IOS Software - Switches
No mitigations or workarounds.
Cisco IOS XR Software
No mitigations or workarounds.
Cisco NX-OS Software
!
interface Ethernet1/3
switchport
switchport access vlan 5
mac port access-group drop_non
ipv6 nd raguard attach-policy HOSTS
!
interface Ethernet1/4
switchport
switchport access vlan 5
mac port access-group drop_non
ipv6 nd raguard attach-policy CSCvw92154
!
mac access-list drop_non
10 permit any any 0x86dd
20 permit any any ip
30 permit any any 0x806
35 permit any 0100.0ccc.cccc 0000.0000.0000
40 deny any any
!
Cisco Small Business Switches
No mitigations or workarounds.
While these workarounds have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
At the time of publication, the release information in the following table was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
| Product | Cisco Bug ID | First Fixed Release |
|---|---|---|
| Cisco IOS XE Switches | CSCvz91291 | 17.6.3 17.8.1 |
Cisco evaluated this vulnerability based on its impact on FHS features configured on the access points. No impact was observed.
At the time of publication, Cisco had not released updates that address this vulnerability for any Cisco product.
Cisco evaluated this vulnerability based on its impact on FHS features configured on the access points. No impact was observed.
The Cisco PSIRT validates only the affected and fixed release information that is documented in this advisory.
The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory.
The Cisco PSIRT is not aware of any malicious use of the vulnerabilities that are described in this advisory.
Cisco would like to thank Etienne Champetier for reporting these vulnerabilities and Cert/CC for the coordination.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
| Version | Description | Section | Status | Date |
|---|---|---|---|---|
| 1.1 | Corrected affected product information. | Details | Final | 2022-OCT-05 |
| 1.0 | Initial public release. | - | Final | 2022-SEP-27 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
Vulmon