Network vendors inherit VLAN implementation bug

Network vendors have fallen prey to vulnerabilities in Ethernet VLAN protocol implementations.

While only Cisco and Juniper Networks are confirmed to have vulnerable products at this stage, a notice published by Carnegie-Mellon’s Computer Emergency Response Team (CERT) lists a large number of vendors whose status remains unknown.

Since the bug was present in the Linux kernel, any product whose operating system is based on a custom Linux could be affected.

CERT said an attacker could trick a locally connected target to route traffic to arbitrary destinations.

“Victim devices experience either a DoS (blackholing traffic) or MitM (observing the unencrypted traffic and maybe breaking encryption)”, the advisory states.

The issue, first noticed by Etienne Champetier and posted to various Linux kernel lists, exists in Ethernet encapsulation protocols that allow for VLAN headers to be stacked, the CERT advisory stated.

“Network standards such as IEEE 802.1Q-1998 and IEEE 802.3 define a system of tagging Ethernet frames that help isolate networks to provide virtual networking capability.

“IEEE standard 802.1ad, also known as QinQ, allows for the stacking of these VLAN tags, extending the VLAN capability into multiple network segments.”

If an attacker stacks a combination of “one or more VLAN 0 (priority tag) headers and 802.2 LLC/SNAP headers” in crafted packets, they can bypass security controls implemented in Layer 2 filtering, the advisory continued.

In a traditional network environment, exploiting the vulnerability would require access to the local network.

However, as the CERT said: “In modern computing environments, such as cloud-based virtualisation and virtual networking, the L2 network capability is extended beyond the local area networks.

"This can lead to exposure of [these] vulnerabilities in unintended ways to the larger Internet.”

The vulnerabilities cover four Common Vulnerabilities and Exposures (CVE) numbers, first assigned in 2021 but only published now:

• CVE-2021-27853: Layer 2 network filtering capabilities such as IPv6 RA guard or ARP inspection can be bypassed using a combination of VLAN 0 headers and LLC/SNAP headers.
• CVE-2021-27854: Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using a combination of VLAN 0 headers, LLC/SNAP headers in Ethernet to Wifi frame translation, and in the reverse-Wifi to Ethernet.
• CVE-2021-27861: Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length (and optionally VLAN0 headers).
• CVE-2021-27862: Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length and Ethernet to Wifi frame conversion (and optionally VLAN0 headers).

Cisco said the vulnerabilities’ impact on its products are of medium severity, with a Common Vulnerability Scoring System score of 4.3.

CERT alleged Juniper Networks’ products are also vulnerable, but the vendor has not yet published an advisory.

Update: Since this article was first published, Arista Networks announced various versions of its EOS operating system, and some wifi access points, are also affected by the vulnerability.