Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.4805.2 Vulnerabilities in Layer 2 Network Security Controls Affecting Cisco Products: September 2022 6 October 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Catalyst Switches Industrial Ethernet Switches Micro Switches IOS XE Switches IOS XE Routers Nexus Switches MS Series Switches 250 Series Switches 350 Series Switches 550 Series Switches Publisher: Cisco Systems Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2021-27862 CVE-2021-27861 CVE-2021-27854 CVE-2021-27853 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-VU855201-J3z8CKTX Comment: CVSS (Max): 4.7 CVE-2021-27861 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N Revision History: October 6 2022: Vendor Corrected affected product information. September 28 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Vulnerabilities in Layer 2 Network Security Controls Affecting Cisco Products: September 2022 Priority: Medium Advisory ID: cisco-sa-VU855201-J3z8CKTX First Published: 2022 September 27 16:00 GMT Last Updated: 2022 October 5 18:16 GMT Version 1.1: Final Workarounds: Yes Cisco Bug IDs: CSCvw92154 CSCvw99743 CSCvx33758 CSCvx35085 CSCvx35087 CSCvx37987 CSCvz88705 CSCvz89602 CSCvz91291 CSCvz96133 CSCwa01097 CSCwa04809 CSCwa06145 CSCwa06265 CSCwa09081 CSCwa14271 CSCwa14282 CSCwa14942 CSCwa14950 CSCwa18093 CSCwa18209 CSCwa18310 CSCwb01481 CVE Names: CVE-2021-27853 CVE-2021-27854 CVE-2021-27861 CVE-2021-27862 CWEs: CWE-284 Summary o On September 27, 2022, the following vulnerabilities affecting Cisco products were disclosed by Cert/CC as part of VU855201, titled L2 network security controls can be bypassed using VLAN 0 stacking and/or 802.3 headers : CVE-2021-27853: Layer 2 network filtering capabilities such as IPv6 RA guard or ARP inspection can be bypassed using a combination of VLAN 0 headers and LLC/SNAP headers. CVE-2021-27854: Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using a combination of VLAN 0 headers, LLC/SNAP headers in Ethernet to Wifi frame translation, and in the reverse-Wifi to Ethernet. CVE-2021-27861: Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length (and optionally VLAN0 headers). CVE-2021-27862: Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length and Ethernet to Wifi frame conversion (and optionally VLAN0 headers). Exploitation of these vulnerabilities could allow an adjacent attacker to bypass configured first-hop security (FHS) features on the affected Cisco products. For more information about these vulnerabilities, see the Details section of this advisory. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-VU855201-J3z8CKTX Affected Products o The Vulnerable Products section includes Cisco bug IDs for each affected product. The bugs are accessible through the Cisco Bug Search Tool and will contain additional platform-specific information, including workarounds (if available) and fixed software releases (if available). Any product or service not listed in the Vulnerable Products section of this advisory is to be considered not vulnerable. Vulnerable Products CVE-2021-27853 The following table lists Cisco products that are affected by the vulnerability that is described in CVE-2021-27853. See the Details section of this advisory for more information about affected configurations. Note: End of life products have not been evaluated. +-------------------+----------+------------------------------------------+ |Cisco Product |Cisco Bug |Additional Information | | |ID | | +-------------------+----------+------------------------------------------+ | Cisco IOS Software - Switches | +-------------------+----------+------------------------------------------+ |Catalyst 6500 and | | | |6800 Series |CSCwa06145|Fixed software will not be made available.| |Switches | | | +-------------------+----------+------------------------------------------+ |Catalyst Digital | | | |Building Series |CSCwa14942|Fixed software will not be made available.| |Switches | | | +-------------------+----------+------------------------------------------+ |Industrial Ethernet|CSCvw99743|Fixed software will not be made available.| |Switches | | | +-------------------+----------+------------------------------------------+ |Micro Switches |CSCwa14271|Fixed software will not be made available.| +-------------------+----------+------------------------------------------+ | Cisco IOS XE Software - Switches | +-------------------+----------+------------------------------------------+ |Catalyst 4500 |CSCwa18093|Fixed software will not be made available.| |IOS-XE Switches | | | +-------------------+----------+------------------------------------------+ | | |CSCvz91291 affects Cisco IOS XE Software | | | |releases 17.6.1 and later. A fix is | | | |available for all FHS features except | |IOS XE Switches |CSCvz91291|Dynamic ARP inspection. | | |CSCwb01481| | | | |CSCwb01481 is relevant for Dynamic ARP | | | |Inspection and impacts all releases. Fixed| | | |Software will not be made available. | +-------------------+----------+------------------------------------------+ | Cisco IOS XE Software - Routers | +-------------------+----------+------------------------------------------+ |IOS XE Routers | | | |configured with |CSCvz96133|Fixed software will not be made available.| |Ethernet virtual | | | |circuits | | | +-------------------+----------+------------------------------------------+ | Cisco IOS XR Software | +-------------------+----------+------------------------------------------+ |IOS XR Routers |CSCvz88705| | |configured with L2 |CSCvz89602|Fixed software will not be made available.| |Transport services | | | +-------------------+----------+------------------------------------------+ | Cisco Meraki - Switches | +-------------------+----------+------------------------------------------+ |MS390 |N/A |Impact is only for Dynamic ARP Inspection.| | | |Fixed software will not be made available.| +-------------------+----------+------------------------------------------+ |MS210 | | | |MS225 | | | |MS250 | | | |MS350 | | | |MS355 |N/A |Fixed software will not be made available.| |MS410 | | | |MS420 | | | |MS425 | | | |MS450 | | | +-------------------+----------+------------------------------------------+ | Cisco NX-OS Software | +-------------------+----------+------------------------------------------+ |Nexus 3000 Series |CSCvx33758|Fixed software will not be made available.| |Switches | | | +-------------------+----------+------------------------------------------+ |Nexus 5500 Platform| | | |Switches | | | |Nexus 5600 Platform|CSCvx35087|Fixed software will not be made available.| |Switches | | | |Nexus 6000 Series | | | |Switches | | | +-------------------+----------+------------------------------------------+ |Nexus 7000 Series |CSCvx35085|Fixed software will not be made available.| |Switches | | | +-------------------+----------+------------------------------------------+ |Nexus 9000 Series | | | |Switches |CSCvx33758|Fixed software will not be made available.| |(Standalone Mode) | | | +-------------------+----------+------------------------------------------+ | Cisco Small Business Switches | +-------------------+----------+------------------------------------------+ |250 Series Smart | | | |Switches | | | |350 Series Managed | | | |Switches | | | |350X Series | | | |Stackable Managed | | | |Switches |CSCvw92154|Fixed software will not be made available.| |550X Series | | | |Stackable Managed | | | |Switches | | | |Business 250 Series| | | |Smart Switches | | | |Business 350 Series| | | |Managed Switches | | | +-------------------+----------+------------------------------------------+ CVE-2021-27854 Cisco Access Points Cisco evaluated this vulnerability based on its impact on FHS features that are configured on Cisco Access Points. No impact was observed. As part of the investigation into the impact to Cisco Access Points, another vulnerability was found, and a companion advisory has been published: Cisco Access Points VLAN Bypass from Native VLAN Vulnerability . CVE-2021-27861 The following table lists Cisco products that are affected by the vulnerability that is described in CVE-2021-27861. See the Details section of this advisory for more information about affected configurations. Note : End of life products have not been evaluated. +----------------------------------+----------+---------------------------+ |Cisco Product |Cisco Bug |Additional Information | | |ID | | +----------------------------------+----------+---------------------------+ | Cisco IOS Software - Switches | +----------------------------------+----------+---------------------------+ |Catalyst 6500 and 6800 Series |CSCwa06265|Fixed software will not be | |Switches | |made available. | +----------------------------------+----------+---------------------------+ |Catalyst Digital Building Series |CSCwa14950|Fixed software will not be | |Switches | |made available. | +----------------------------------+----------+---------------------------+ |Micro Switches |CSCwa14282|Fixed software will not be | | | |made available. | +----------------------------------+----------+---------------------------+ | Cisco IOS XR Software | +----------------------------------+----------+---------------------------+ |IOS XR Routers configured with L2 |CSCwa04809|Fixed software will not be | |Transport services | |made available. | +----------------------------------+----------+---------------------------+ | Cisco Meraki - Switches | +----------------------------------+----------+---------------------------+ |MS210 | | | |MS225 | | | |MS250 | | | |MS350 | |Fixed software will not be | |MS355 |N/A |made available. | |MS410 | | | |MS420 | | | |MS425 | | | |MS450 | | | +----------------------------------+----------+---------------------------+ | Cisco NX-OS Software | +----------------------------------+----------+---------------------------+ |Nexus 3000 Series Switches |CSCwa01097|Fixed software will not be | | | |made available. | +----------------------------------+----------+---------------------------+ |Nexus 5500 Platform Switches | |Fixed software will not be | |Nexus 5600 Platform Switches |CSCwa18209|made available. | |Nexus 6000 Series Switches | | | +----------------------------------+----------+---------------------------+ |Nexus 7000 Series Switches |CSCwa18310|Fixed software will not be | | | |made available. | +----------------------------------+----------+---------------------------+ |Nexus 9000 Series Switches |CSCwa01097|Fixed software will not be | |(Standalone Mode) | |made available. | +----------------------------------+----------+---------------------------+ | Cisco Small Business Switches | +----------------------------------+----------+---------------------------+ |250 Series Smart Switches | | | |350 Series Managed Switches | | | |350X Series Stackable Managed | | | |Switches | |Fixed software will not be | |550X Series Stackable Managed |CSCwa09081|made available. | |Switches | | | |Business 250 Series Smart Switches| | | |Business 350 Series Managed | | | |Switches | | | +----------------------------------+----------+---------------------------+ CVE-2021-27862 Cisco evaluated this vulnerability based on its impact on FHS features that are configured on Cisco Access points. No impact was observed. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. CVE-2021-27853 Cisco has confirmed that this vulnerability does not affect the following Cisco products: ONT Switches Catalyst PON Series Switches IOS Switches Catalyst 1000 Series Switches IOS XE Platforms Catalyst 8000 Series Edge Platforms NX-OS Software MDS 9000 Series Multilayer Switches Nexus 1000V Series Switches Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode UCS 6x00 Series Fabric Interconnects Meraki Switches GS110 Switches MS22 Switches MS42 Switches MS120 Switches MS125 Switches MS220 Switches MS320 Switches CVE-2021-27854 Cisco has confirmed that this vulnerability does not affect the following Cisco products: Access Points AireOS Access Points Meraki Access Points CVE-2021-27861 Cisco has confirmed that this vulnerability does not affect the following Cisco products: ONT Switches Catalyst PON Series Switches IOS Switches Catalyst 1000 Series Switches Industrial Ethernet Switches IOS XE Routers IOS XE Routers when configured with Ethernet virtual circuits IOS XE Software Switches Catalyst 3650 Series Switches Catalyst 3850 Series Switches Catalyst 4500E and 4500X Series Switches Catalyst 9000 Series Switches Meraki Switches GS110 Switches MS22 Switches MS42 Switches MS120 Switches MS125 Switches MS220 Switches MS320 Switches MS390 Switches NX-OS Software MDS 9000 Series Multilayer Switches Nexus 1000V Series Switches Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode UCS 6x00 Series Fabric Interconnects CVE-2021-27862 Cisco has confirmed that this vulnerability does not affect the following Cisco products: Access Points AireOS Access Points Meraki Access Points Details o The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities. CVE-2021-27853 A vulnerability in the processing of stacked Ethernet tag headers of multiple Cisco products could allow an unauthenticated, adjacent attacker to bypass the FHS feature of an affected device. This vulnerability is due to the platforms forwarding frames when the upper-layer protocol cannot be determined to invoke a Layer 3 FHS feature. An attacker could exploit this vulnerability by sending packets with stacked VLAN Ethernet headers. A successful exploit could allow the attacker to bypass the FHS feature of an affected device. Cisco has not released software updates that address this vulnerability. There are workarounds that address this vulnerability. CVE ID: CVE-2021-27853 Security Impact Rating (SIR): Medium CVSS Base Score: 4.7 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N CVE-2021-27853: Additional Details The IEEE Std 802.1Q-2018 standard incorporates a priority-tagged frame whose tag header carries priority information but no VLAN identification information. The VLAN identifier is set to 0 and is typically carried in a single 802.1Q header between the source MAC address and the Ethertype/size field. In networks where VLAN tagging is used, there is typically a single 802.1Q header between the source MAC address and the Ethertype/size field. IEEE 802.1AD has double tagging and includes the S-TAG and C-TAG headers between the source MAC address and the Ethertype/size field. The IEEE Std 802.1Q-2018 does not specify that there should be no more than two tags present, but Cisco products have a limit on how many tags can be inspected to establish the upper-layer protocols (determined by the Ethertype field), whether a packet is classified as IPv4 or IPv6, and whether it is subject to additional Layer 3 feature processing. If these things cannot be determined, the packet is forwarded based on the Layer 2 information, depending on the device configuration. Depending on the implementation of the next device that receives the frame, the frame may be dropped as invalid or the priority tags may be removed and processed. These actions are dependent on the implementation of the receiving host operating system. CVE-2021-27853: Cisco Network Operating Systems This section provides specific details about how the different affected Cisco network operating systems handle Ethernet frames with a VLAN ID 0 tag. Cisco IOS Software - Switches By default, all of the affected Cisco IOS Switches process inbound packets with the frame header that contains a VLAN ID 0 tag. Cisco products have a limit on how many tags can be inspected to establish the upper-layer protocols. Note : Cisco IOS Switches that have reached end of life have not been evaluated by the Cisco Product Security Incident Response Team (PSIRT). Cisco IOS XE Software - Switches By default, Cisco Catalyst 4500E Series switches process an inbound packet with the frame header that contains a VLAN ID 0 tag. Cisco products have a limit on how many tags can be inspected to establish the upper-layer protocols. The default behavior of a Cisco IOS XE Switch is to drop all traffic that has a frame header that contains a VLAN ID 0 tag. The switch only processes frames with a VLAN ID 0 tag if the access port is configured as follows: switchport voice vlan dot1p Cisco IOS XE Software - Routers Cisco IOS XE devices that are configured with service instances handle the VLAN ID 0 tag in accordance with their configurations. For VLAN-based services, the top one or two tags are inspected based on configuration and map to the appropriate service instance on the longest match rules. Service instance-based configurations that contain encapsulation dot1q priority-tagged , encapsulation dot1q priority-tagged exact , or encapsulation default are affected by this vulnerability. The order of matching a service instance for VLAN ID 0 is based on encapsulation dot1q priority-tagged first and then encapsulation default . Cisco IOS XE Software does not match on encapsulation dot1q any for VLAN ID 0 tags. Cisco IOS XR Software Cisco IOS XR Software running on Layer 2 Transport interfaces handles a VLAN ID 0 tag in accordance with the configurations applied to the device. For port-based services, the packets are forwarded with no inspection. For VLAN-based services, either the top tag or the top two tags are inspected based on configuration and map to the appropriate attachment circuit based on the longest match rules. Fore more information, see IOS XR L2VPN Services and Features . Configurations that contain encapsulation dot1q priority-tagged , encapsulation dot1q priority-tagged exact , or encapsulation default on Layer 2 Transport VLAN-based configurations are affected by this vulnerability. Cisco NX-OS Software By default, Cisco NX-OS Software processes an inbound packet with the frame header containing a VLAN ID 0 tag. The initial VLAN ID 0 tag is stripped and then processed in accordance with the rest of the packet contents. Cisco products have a limit on how many tags can be inspected to establish the upper-layer protocols. Cisco Small Business Switches By default, Cisco Small Business Switches process an inbound packet with the frame header that contains a VLAN ID 0 tag. Cisco products have a limit on how many tags can be inspected to establish the upper-layer protocols. CVE-2021-27854 CVE-2021-27854 examines the way frames are converted between 802.11 and 802.3 with the injection of VLAN tags in the SNAP headers. Cisco evaluated this vulnerability for any impact to the security features on wireless access points when handling these frame conversions. Cisco found that no configured FHS features were bypassed. CVE ID: CVE-2021-27854 Security Impact Rating (SIR): Medium CVSS Base Score: 4.7 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N CVE-2021-27861 A vulnerability in the Ethernet processing of multiple Cisco products could allow an unauthenticated, adjacent attacker to bypass the FHS feature of an affected device. This vulnerability is due to insufficient validation of SNAP/LLC Ethernet frames. An attacker could exploit this vulnerability by sending packets with a crafted (or not crafted, depending on the product) SNAP/LLC Ethernet header. A successful exploit could allow the attacker to bypass the FHS feature of an affected device. Cisco has not released software updates that address this vulnerability. There are workarounds that address this vulnerability for some products. CVE ID: CVE-2021-27861 Security Impact Rating (SIR): Medium CVSS Base Score: 4.7 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N CVE-2021-27861: Cisco Network Operating Systems This section provides specific details about how the different affected Cisco network operating systems handle SNAP/LLC Ethernet frames. Cisco IOS Software - Switches The affected Cisco IOS Software products forward SNAP/LLC frames without additional FHS feature inspection. Cisco IOS XR Software The affected Cisco IOS XR Software products forward SNAP/LLC frames without additional FHS feature inspection. Cisco NX-OS Software The affected Cisco NX-OS Software products forward SNAP/LLC frames without any additional FHS feature inspection. Cisco Small Business Switches The affected Cisco Small Business Switches correctly apply FHS features for SNAP/LLC frames with a length field of up to 1,500. However, SNAP/LLC frames with lengths of 1,501 through 1,535 are forwarded without additional FHS feature inspection. CVE-2021-27862 CVE-2021-27862 examines the way frames are converted between 802.3 to 802.11 and the length field. Cisco evaluated this vulnerability for any impact to the security features on wireless access points when handling these frame conversions. Cisco found that no configured FHS features were bypassed. CVE ID: CVE-2021-27862 Security Impact Rating (SIR): Medium CVSS Base Score: 4.7 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N Workarounds o There are workarounds that address some of these vulnerabilities. CVE-2021-27853 Administrators may drop packets that cannot have their ethertype detected using a Layer 2 access control list (ACL) or where tags are not expected to drop tagged traffic. If a single dot1P header is received, it will still be processed correctly if the network operating system supports it. The following are examples of Layer 2 ACLs that could be implemented on access ports where FHS has been configured: Cisco IOS Software - Switches ! mac access-list extended CSCwa14271 permit any any 0x86DD 0x0 permit any any 0x800 0x0 permit any any 0x806 0x0 deny any any ! interface GigabitEthernet1/0/1 switchport access vlan 5 switchport voice vlan dot1p ipv6 nd raguard attach-policy HOSTS mac access-group CSCwa14271 in ! Cisco IOS XE Software - Switches For Cisco IOS XE Software on switches, impact to all FHS features occurs on Cisco IOS Software releases 17.6.1 and later, but earlier than the first fixed release. The issue will not be seen if the access port VLAN also has an active switched virtual interface (SVI). If there are access ports in VLAN 5, for example, this issue will be observed only if interface vlan 5 is not configured. To mitigate this issue for vulnerable releases of Cisco IOS Software, administrators can ensure that each VLAN assigned to access ports has a corresponding SVI configured. For Cisco IOS XE Software on switches, Dynamic ARP Inspection is affected on all releases. Administrators can configure static ARP entries for the default gateways and critical servers and hosts off the segments that are being protected to protect the critical assets in the environment. Cisco IOS XE Software - Routers For configurations that have a service instance with encapsulation priority-tagged and where the environment needs to examine only the first tag (depending on the platform), administrators can either add the keyword exact after the encapsulation priority-tagged or filter on the ethertype field with encapsulation priority-tagged etype ipv4 , ipv6 . For environments that do not have encapsulation priority-tagged assigned to a service instance, to prevent packets that are tagged with dot1p at the front of the headers from being forwarded, administrators can configure a service instance that is not assigned to a bridge domain with encapsulation priority-tagged. Cisco IOS XR Software For configurations that have an l2transport sub interface configured with encapsulation dot1q|dot1ad priority-tagged and where the environment needs to examine only the first tag (depending on the platform), administrators can add the keyword exact after the encapsulation dot1q|dot1ad priority-tagged. For environments that do not have e ncapsulation dot1q|dot1ad priority-tagged assigned to an l2transport sub interface, to prevent packets that are tagged with dot1p at the front of the headers from being forwarded, administrators can configure l2transport sub interfaces that are not assigned to a bridge domain with encapsulation dot1q priority-tagged and encapsulation dot1ad priority-tagged . Cisco NX-OS Software ! mac access-list drop_three_tags deny any any 0x8100 deny any any 0x88a8 permit any any ! interface ethernet 1/4 mac port access-group drop_three_tags ! Cisco Small Business Switches To ensure that FHS works correctly on access ports, install a MAC ACL to deny only tagged frames (because they are not to be expected on an access port) or to permit only ARP, IPv4, and IPv6 on all access ports. The following is an example from the Cisco Sx250, 350, and 550 Series Smart Switches and the Cisco Business 250 and 350 Series Smart Switches: mac access-list extended arp-ip-ip6 permit any any 806 0000 ace-priority 1 permit any any 800 0000 ace-priority 2 permit any any 86dd 0000 ace-priority 3 CVE-2021-27861 The principle for mitigating CVE-2021-27861 is to drop any packets that cannot have their Layer 3 protocol detected using a Layer 2 ACL. The following are examples of Layer 2 ACLs that could be implemented on access ports where FHP has been configured: Cisco IOS Software - Switches No mitigations or workarounds. Cisco IOS XR Software No mitigations or workarounds. Cisco NX-OS Software ! interface Ethernet1/3 switchport switchport access vlan 5 mac port access-group drop_non ipv6 nd raguard attach-policy HOSTS ! interface Ethernet1/4 switchport switchport access vlan 5 mac port access-group drop_non ipv6 nd raguard attach-policy CSCvw92154 ! mac access-list drop_non 10 permit any any 0x86dd 20 permit any any ip 30 permit any any 0x806 35 permit any 0100.0ccc.cccc 0000.0000.0000 40 deny any any ! Cisco Small Business Switches No mitigations or workarounds. While these workarounds have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases CVE-2021-27853 At the time of publication, the release information in the following table was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Product Cisco Bug ID First Fixed Release Cisco IOS XE Switches CSCvz91291 17.6.3 17.8.1 CVE-2021-27854 Cisco evaluated this vulnerability based on its impact on FHS features configured on the access points. No impact was observed. CVE-2021-27861 At the time of publication, Cisco had not released updates that address this vulnerability for any Cisco product. CVE-2021-27862 Cisco evaluated this vulnerability based on its impact on FHS features configured on the access points. No impact was observed. The Cisco PSIRT validates only the affected and fixed release information that is documented in this advisory. Exploitation and Public Announcements o The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory. The Cisco PSIRT is not aware of any malicious use of the vulnerabilities that are described in this advisory. Source o Cisco would like to thank Etienne Champetier for reporting these vulnerabilities and Cert/CC for the coordination. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-VU855201-J3z8CKTX Revision History o +---------+------------------------------+---------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+------------------------------+---------+--------+-------------+ | 1.1 | Corrected affected product | Details | Final | 2022-OCT-05 | | | information. | | | | +---------+------------------------------+---------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2022-SEP-27 | +---------+------------------------------+---------+--------+-------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYz555ckNZI30y1K9AQjULQ/+LWk9ZRsTDVPtJGWQb6qhPPKz3sjkE/Rv hk+6WE2GgJVnYmXgmNoFNZDHMYHkI6TcWq34O5zD/tVDw+x3PJfySQxLdpCLVo0E n+HCQGSmRKZwjl7hTLsWPJwMtmzoUMDcPTj1Aq09uXYnhwXBMjEtJcYS0AmLdK2V SrL6apCZWCEBtivzHASYtldx2PLM5dv2M60flCfpBOITMCC2tVPLWZb2koTHXqAu DZKv6g8BZcG5/4LYz6KNV8lFUSoTkdSl0082LxUVJSok4mzcovL5riH/gXRYgKOF nFTjwU8M29s9lNO/+UCU99HhIscKuJynTew1V85LbVfeKL2mUjNmpgUsYwC++5k/ PPeL+rCHwccwA7iOxpQ9nTUIT+iA8yVI+ocYP0E7Kv/x5MF7oC95CZAfym6+iv4d pxTIoRxzkoEBftKKRrSgGEJrwtzflGw/UcRxF9kIGSR0PVjy2bY++mlL+niax+T+ FChQ5WbtFr689G+29vkCdsVgFcRnXeUFU1VqU+fVV2adkVQT9MfLLJtLUSnDsoVx 2Ho3NEF+JydGo1CcWm4l/LFBk1F5Rw95VDCDyEsZ3SattLZeKgng+Xd8/U/bVxvQ rTTWePSz6KVyV818wJDw9zaSfC/wKyzeXsjwf2W+Y+QsUgSdzgP6FhbSlN2595cI WvTLErnJPcA= =umeB -----END PGP SIGNATURE-----