Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.4805.2
Vulnerabilities in Layer 2 Network Security Controls
Affecting Cisco Products: September 2022
6 October 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Catalyst Switches
Industrial Ethernet Switches
Micro Switches
IOS XE Switches
IOS XE Routers
Nexus Switches
MS Series Switches
250 Series Switches
350 Series Switches
550 Series Switches
Publisher: Cisco Systems
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2021-27862 CVE-2021-27861 CVE-2021-27854
CVE-2021-27853
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-VU855201-J3z8CKTX
Comment: CVSS (Max): 4.7 CVE-2021-27861 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Revision History: October 6 2022: Vendor Corrected affected product information.
September 28 2022: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerabilities in Layer 2 Network Security Controls Affecting Cisco Products:
September 2022
Priority: Medium
Advisory ID: cisco-sa-VU855201-J3z8CKTX
First Published: 2022 September 27 16:00 GMT
Last Updated: 2022 October 5 18:16 GMT
Version 1.1: Final
Workarounds: Yes
Cisco Bug IDs: CSCvw92154 CSCvw99743 CSCvx33758 CSCvx35085 CSCvx35087
CSCvx37987 CSCvz88705 CSCvz89602 CSCvz91291 CSCvz96133
CSCwa01097 CSCwa04809 CSCwa06145 CSCwa06265 CSCwa09081
CSCwa14271 CSCwa14282 CSCwa14942 CSCwa14950 CSCwa18093
CSCwa18209 CSCwa18310 CSCwb01481
CVE Names: CVE-2021-27853 CVE-2021-27854 CVE-2021-27861 CVE-2021-27862
CWEs: CWE-284
Summary
o On September 27, 2022, the following vulnerabilities affecting Cisco
products were disclosed by Cert/CC as part of VU855201, titled L2 network
security controls can be bypassed using VLAN 0 stacking and/or 802.3
headers :
CVE-2021-27853: Layer 2 network filtering capabilities such as IPv6 RA
guard or ARP inspection can be bypassed using a combination of VLAN 0
headers and LLC/SNAP headers.
CVE-2021-27854: Layer 2 network filtering capabilities such as IPv6 RA
guard can be bypassed using a combination of VLAN 0 headers, LLC/SNAP
headers in Ethernet to Wifi frame translation, and in the reverse-Wifi
to Ethernet.
CVE-2021-27861: Layer 2 network filtering capabilities such as IPv6 RA
guard can be bypassed using LLC/SNAP headers with invalid length (and
optionally VLAN0 headers).
CVE-2021-27862: Layer 2 network filtering capabilities such as IPv6 RA
guard can be bypassed using LLC/SNAP headers with invalid length and
Ethernet to Wifi frame conversion (and optionally VLAN0 headers).
Exploitation of these vulnerabilities could allow an adjacent attacker to
bypass configured first-hop security (FHS) features on the affected Cisco
products.
For more information about these vulnerabilities, see the Details section
of this advisory.
This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-VU855201-J3z8CKTX
Affected Products
o The Vulnerable Products section includes Cisco bug IDs for each affected
product. The bugs are accessible through the Cisco Bug Search Tool and will
contain additional platform-specific information, including workarounds (if
available) and fixed software releases (if available).
Any product or service not listed in the Vulnerable Products section of
this advisory is to be considered not vulnerable.
Vulnerable Products
CVE-2021-27853
The following table lists Cisco products that are affected by the
vulnerability that is described in CVE-2021-27853. See the Details section
of this advisory for more information about affected configurations.
Note: End of life products have not been evaluated.
+-------------------+----------+------------------------------------------+
|Cisco Product |Cisco Bug |Additional Information |
| |ID | |
+-------------------+----------+------------------------------------------+
| Cisco IOS Software - Switches |
+-------------------+----------+------------------------------------------+
|Catalyst 6500 and | | |
|6800 Series |CSCwa06145|Fixed software will not be made available.|
|Switches | | |
+-------------------+----------+------------------------------------------+
|Catalyst Digital | | |
|Building Series |CSCwa14942|Fixed software will not be made available.|
|Switches | | |
+-------------------+----------+------------------------------------------+
|Industrial Ethernet|CSCvw99743|Fixed software will not be made available.|
|Switches | | |
+-------------------+----------+------------------------------------------+
|Micro Switches |CSCwa14271|Fixed software will not be made available.|
+-------------------+----------+------------------------------------------+
| Cisco IOS XE Software - Switches |
+-------------------+----------+------------------------------------------+
|Catalyst 4500 |CSCwa18093|Fixed software will not be made available.|
|IOS-XE Switches | | |
+-------------------+----------+------------------------------------------+
| | |CSCvz91291 affects Cisco IOS XE Software |
| | |releases 17.6.1 and later. A fix is |
| | |available for all FHS features except |
|IOS XE Switches |CSCvz91291|Dynamic ARP inspection. |
| |CSCwb01481| |
| | |CSCwb01481 is relevant for Dynamic ARP |
| | |Inspection and impacts all releases. Fixed|
| | |Software will not be made available. |
+-------------------+----------+------------------------------------------+
| Cisco IOS XE Software - Routers |
+-------------------+----------+------------------------------------------+
|IOS XE Routers | | |
|configured with |CSCvz96133|Fixed software will not be made available.|
|Ethernet virtual | | |
|circuits | | |
+-------------------+----------+------------------------------------------+
| Cisco IOS XR Software |
+-------------------+----------+------------------------------------------+
|IOS XR Routers |CSCvz88705| |
|configured with L2 |CSCvz89602|Fixed software will not be made available.|
|Transport services | | |
+-------------------+----------+------------------------------------------+
| Cisco Meraki - Switches |
+-------------------+----------+------------------------------------------+
|MS390 |N/A |Impact is only for Dynamic ARP Inspection.|
| | |Fixed software will not be made available.|
+-------------------+----------+------------------------------------------+
|MS210 | | |
|MS225 | | |
|MS250 | | |
|MS350 | | |
|MS355 |N/A |Fixed software will not be made available.|
|MS410 | | |
|MS420 | | |
|MS425 | | |
|MS450 | | |
+-------------------+----------+------------------------------------------+
| Cisco NX-OS Software |
+-------------------+----------+------------------------------------------+
|Nexus 3000 Series |CSCvx33758|Fixed software will not be made available.|
|Switches | | |
+-------------------+----------+------------------------------------------+
|Nexus 5500 Platform| | |
|Switches | | |
|Nexus 5600 Platform|CSCvx35087|Fixed software will not be made available.|
|Switches | | |
|Nexus 6000 Series | | |
|Switches | | |
+-------------------+----------+------------------------------------------+
|Nexus 7000 Series |CSCvx35085|Fixed software will not be made available.|
|Switches | | |
+-------------------+----------+------------------------------------------+
|Nexus 9000 Series | | |
|Switches |CSCvx33758|Fixed software will not be made available.|
|(Standalone Mode) | | |
+-------------------+----------+------------------------------------------+
| Cisco Small Business Switches |
+-------------------+----------+------------------------------------------+
|250 Series Smart | | |
|Switches | | |
|350 Series Managed | | |
|Switches | | |
|350X Series | | |
|Stackable Managed | | |
|Switches |CSCvw92154|Fixed software will not be made available.|
|550X Series | | |
|Stackable Managed | | |
|Switches | | |
|Business 250 Series| | |
|Smart Switches | | |
|Business 350 Series| | |
|Managed Switches | | |
+-------------------+----------+------------------------------------------+
CVE-2021-27854
Cisco Access Points
Cisco evaluated this vulnerability based on its impact on FHS features that
are configured on Cisco Access Points. No impact was observed.
As part of the investigation into the impact to Cisco Access Points,
another vulnerability was found, and a companion advisory has been
published: Cisco Access Points VLAN Bypass from Native VLAN Vulnerability .
CVE-2021-27861
The following table lists Cisco products that are affected by the
vulnerability that is described in CVE-2021-27861. See the Details section
of this advisory for more information about affected configurations.
Note : End of life products have not been evaluated.
+----------------------------------+----------+---------------------------+
|Cisco Product |Cisco Bug |Additional Information |
| |ID | |
+----------------------------------+----------+---------------------------+
| Cisco IOS Software - Switches |
+----------------------------------+----------+---------------------------+
|Catalyst 6500 and 6800 Series |CSCwa06265|Fixed software will not be |
|Switches | |made available. |
+----------------------------------+----------+---------------------------+
|Catalyst Digital Building Series |CSCwa14950|Fixed software will not be |
|Switches | |made available. |
+----------------------------------+----------+---------------------------+
|Micro Switches |CSCwa14282|Fixed software will not be |
| | |made available. |
+----------------------------------+----------+---------------------------+
| Cisco IOS XR Software |
+----------------------------------+----------+---------------------------+
|IOS XR Routers configured with L2 |CSCwa04809|Fixed software will not be |
|Transport services | |made available. |
+----------------------------------+----------+---------------------------+
| Cisco Meraki - Switches |
+----------------------------------+----------+---------------------------+
|MS210 | | |
|MS225 | | |
|MS250 | | |
|MS350 | |Fixed software will not be |
|MS355 |N/A |made available. |
|MS410 | | |
|MS420 | | |
|MS425 | | |
|MS450 | | |
+----------------------------------+----------+---------------------------+
| Cisco NX-OS Software |
+----------------------------------+----------+---------------------------+
|Nexus 3000 Series Switches |CSCwa01097|Fixed software will not be |
| | |made available. |
+----------------------------------+----------+---------------------------+
|Nexus 5500 Platform Switches | |Fixed software will not be |
|Nexus 5600 Platform Switches |CSCwa18209|made available. |
|Nexus 6000 Series Switches | | |
+----------------------------------+----------+---------------------------+
|Nexus 7000 Series Switches |CSCwa18310|Fixed software will not be |
| | |made available. |
+----------------------------------+----------+---------------------------+
|Nexus 9000 Series Switches |CSCwa01097|Fixed software will not be |
|(Standalone Mode) | |made available. |
+----------------------------------+----------+---------------------------+
| Cisco Small Business Switches |
+----------------------------------+----------+---------------------------+
|250 Series Smart Switches | | |
|350 Series Managed Switches | | |
|350X Series Stackable Managed | | |
|Switches | |Fixed software will not be |
|550X Series Stackable Managed |CSCwa09081|made available. |
|Switches | | |
|Business 250 Series Smart Switches| | |
|Business 350 Series Managed | | |
|Switches | | |
+----------------------------------+----------+---------------------------+
CVE-2021-27862
Cisco evaluated this vulnerability based on its impact on FHS features that
are configured on Cisco Access points. No impact was observed.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
CVE-2021-27853
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
ONT Switches
Catalyst PON Series Switches
IOS Switches
Catalyst 1000 Series Switches
IOS XE Platforms
Catalyst 8000 Series Edge Platforms
NX-OS Software
MDS 9000 Series Multilayer Switches
Nexus 1000V Series Switches
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
(ACI) mode
UCS 6x00 Series Fabric Interconnects
Meraki Switches
GS110 Switches
MS22 Switches
MS42 Switches
MS120 Switches
MS125 Switches
MS220 Switches
MS320 Switches
CVE-2021-27854
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Access Points
AireOS Access Points
Meraki Access Points
CVE-2021-27861
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
ONT Switches
Catalyst PON Series Switches
IOS Switches
Catalyst 1000 Series Switches
Industrial Ethernet Switches
IOS XE Routers
IOS XE Routers when configured with Ethernet virtual circuits
IOS XE Software Switches
Catalyst 3650 Series Switches
Catalyst 3850 Series Switches
Catalyst 4500E and 4500X Series Switches
Catalyst 9000 Series Switches
Meraki Switches
GS110 Switches
MS22 Switches
MS42 Switches
MS120 Switches
MS125 Switches
MS220 Switches
MS320 Switches
MS390 Switches
NX-OS Software
MDS 9000 Series Multilayer Switches
Nexus 1000V Series Switches
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
(ACI) mode
UCS 6x00 Series Fabric Interconnects
CVE-2021-27862
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Access Points
AireOS Access Points
Meraki Access Points
Details
o The vulnerabilities are not dependent on one another. Exploitation of one
of the vulnerabilities is not required to exploit another vulnerability. In
addition, a software release that is affected by one of the vulnerabilities
may not be affected by the other vulnerabilities.
CVE-2021-27853
A vulnerability in the processing of stacked Ethernet tag headers of
multiple Cisco products could allow an unauthenticated, adjacent attacker
to bypass the FHS feature of an affected device.
This vulnerability is due to the platforms forwarding frames when the
upper-layer protocol cannot be determined to invoke a Layer 3 FHS feature.
An attacker could exploit this vulnerability by sending packets with
stacked VLAN Ethernet headers. A successful exploit could allow the
attacker to bypass the FHS feature of an affected device.
Cisco has not released software updates that address this vulnerability.
There are workarounds that address this vulnerability.
CVE ID: CVE-2021-27853
Security Impact Rating (SIR): Medium
CVSS Base Score: 4.7
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
CVE-2021-27853: Additional Details
The IEEE Std 802.1Q-2018 standard incorporates a priority-tagged frame
whose tag header carries priority information but no VLAN identification
information. The VLAN identifier is set to 0 and is typically carried in a
single 802.1Q header between the source MAC address and the Ethertype/size
field.
In networks where VLAN tagging is used, there is typically a single 802.1Q
header between the source MAC address and the Ethertype/size field. IEEE
802.1AD has double tagging and includes the S-TAG and C-TAG headers between
the source MAC address and the Ethertype/size field.
The IEEE Std 802.1Q-2018 does not specify that there should be no more than
two tags present, but Cisco products have a limit on how many tags can be
inspected to establish the upper-layer protocols (determined by the
Ethertype field), whether a packet is classified as IPv4 or IPv6, and
whether it is subject to additional Layer 3 feature processing. If these
things cannot be determined, the packet is forwarded based on the Layer 2
information, depending on the device configuration.
Depending on the implementation of the next device that receives the frame,
the frame may be dropped as invalid or the priority tags may be removed and
processed. These actions are dependent on the implementation of the
receiving host operating system.
CVE-2021-27853: Cisco Network Operating Systems
This section provides specific details about how the different affected
Cisco network operating systems handle Ethernet frames with a VLAN ID 0
tag.
Cisco IOS Software - Switches
By default, all of the affected Cisco IOS Switches process inbound packets
with the frame header that contains a VLAN ID 0 tag. Cisco products have a
limit on how many tags can be inspected to establish the upper-layer
protocols.
Note : Cisco IOS Switches that have reached end of life have not been
evaluated by the Cisco Product Security Incident Response Team (PSIRT).
Cisco IOS XE Software - Switches
By default, Cisco Catalyst 4500E Series switches process an inbound packet
with the frame header that contains a VLAN ID 0 tag. Cisco products have a
limit on how many tags can be inspected to establish the upper-layer
protocols.
The default behavior of a Cisco IOS XE Switch is to drop all traffic that
has a frame header that contains a VLAN ID 0 tag. The switch only processes
frames with a VLAN ID 0 tag if the access port is configured as follows:
switchport voice vlan dot1p
Cisco IOS XE Software - Routers
Cisco IOS XE devices that are configured with service instances handle the
VLAN ID 0 tag in accordance with their configurations. For VLAN-based
services, the top one or two tags are inspected based on configuration and
map to the appropriate service instance on the longest match rules.
Service instance-based configurations that contain encapsulation dot1q
priority-tagged , encapsulation dot1q priority-tagged exact , or
encapsulation default are affected by this vulnerability.
The order of matching a service instance for VLAN ID 0 is based on
encapsulation dot1q priority-tagged first and then encapsulation default .
Cisco IOS XE Software does not match on encapsulation dot1q any for VLAN ID
0 tags.
Cisco IOS XR Software
Cisco IOS XR Software running on Layer 2 Transport interfaces handles a
VLAN ID 0 tag in accordance with the configurations applied to the device.
For port-based services, the packets are forwarded with no inspection. For
VLAN-based services, either the top tag or the top two tags are inspected
based on configuration and map to the appropriate attachment circuit based
on the longest match rules. Fore more information, see IOS XR L2VPN
Services and Features .
Configurations that contain encapsulation dot1q priority-tagged ,
encapsulation dot1q priority-tagged exact , or encapsulation default on
Layer 2 Transport VLAN-based configurations are affected by this
vulnerability.
Cisco NX-OS Software
By default, Cisco NX-OS Software processes an inbound packet with the frame
header containing a VLAN ID 0 tag. The initial VLAN ID 0 tag is stripped
and then processed in accordance with the rest of the packet contents.
Cisco products have a limit on how many tags can be inspected to establish
the upper-layer protocols.
Cisco Small Business Switches
By default, Cisco Small Business Switches process an inbound packet with
the frame header that contains a VLAN ID 0 tag. Cisco products have a limit
on how many tags can be inspected to establish the upper-layer protocols.
CVE-2021-27854
CVE-2021-27854 examines the way frames are converted between 802.11 and
802.3 with the injection of VLAN tags in the SNAP headers.
Cisco evaluated this vulnerability for any impact to the security features
on wireless access points when handling these frame conversions. Cisco
found that no configured FHS features were bypassed.
CVE ID: CVE-2021-27854
Security Impact Rating (SIR): Medium
CVSS Base Score: 4.7
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
CVE-2021-27861
A vulnerability in the Ethernet processing of multiple Cisco products could
allow an unauthenticated, adjacent attacker to bypass the FHS feature of an
affected device.
This vulnerability is due to insufficient validation of SNAP/LLC Ethernet
frames. An attacker could exploit this vulnerability by sending packets
with a crafted (or not crafted, depending on the product) SNAP/LLC Ethernet
header. A successful exploit could allow the attacker to bypass the FHS
feature of an affected device.
Cisco has not released software updates that address this vulnerability.
There are workarounds that address this vulnerability for some products.
CVE ID: CVE-2021-27861
Security Impact Rating (SIR): Medium
CVSS Base Score: 4.7
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
CVE-2021-27861: Cisco Network Operating Systems
This section provides specific details about how the different affected
Cisco network operating systems handle SNAP/LLC Ethernet frames.
Cisco IOS Software - Switches
The affected Cisco IOS Software products forward SNAP/LLC frames without
additional FHS feature inspection.
Cisco IOS XR Software
The affected Cisco IOS XR Software products forward SNAP/LLC frames without
additional FHS feature inspection.
Cisco NX-OS Software
The affected Cisco NX-OS Software products forward SNAP/LLC frames without
any additional FHS feature inspection.
Cisco Small Business Switches
The affected Cisco Small Business Switches correctly apply FHS features for
SNAP/LLC frames with a length field of up to 1,500. However, SNAP/LLC
frames with lengths of 1,501 through 1,535 are forwarded without additional
FHS feature inspection.
CVE-2021-27862
CVE-2021-27862 examines the way frames are converted between 802.3 to
802.11 and the length field.
Cisco evaluated this vulnerability for any impact to the security features
on wireless access points when handling these frame conversions. Cisco
found that no configured FHS features were bypassed.
CVE ID: CVE-2021-27862
Security Impact Rating (SIR): Medium
CVSS Base Score: 4.7
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Workarounds
o There are workarounds that address some of these vulnerabilities.
CVE-2021-27853
Administrators may drop packets that cannot have their ethertype detected
using a Layer 2 access control list (ACL) or where tags are not expected to
drop tagged traffic. If a single dot1P header is received, it will still be
processed correctly if the network operating system supports it.
The following are examples of Layer 2 ACLs that could be implemented on
access ports where FHS has been configured:
Cisco IOS Software - Switches
!
mac access-list extended CSCwa14271
permit any any 0x86DD 0x0
permit any any 0x800 0x0
permit any any 0x806 0x0
deny any any
!
interface GigabitEthernet1/0/1
switchport access vlan 5
switchport voice vlan dot1p
ipv6 nd raguard attach-policy HOSTS
mac access-group CSCwa14271 in
!
Cisco IOS XE Software - Switches
For Cisco IOS XE Software on switches, impact to all FHS features occurs on
Cisco IOS Software releases 17.6.1 and later, but earlier than the first
fixed release. The issue will not be seen if the access port VLAN also has
an active switched virtual interface (SVI). If there are access ports in
VLAN 5, for example, this issue will be observed only if interface vlan 5
is not configured. To mitigate this issue for vulnerable releases of Cisco
IOS Software, administrators can ensure that each VLAN assigned to access
ports has a corresponding SVI configured.
For Cisco IOS XE Software on switches, Dynamic ARP Inspection is affected
on all releases. Administrators can configure static ARP entries for the
default gateways and critical servers and hosts off the segments that are
being protected to protect the critical assets in the environment.
Cisco IOS XE Software - Routers
For configurations that have a service instance with encapsulation
priority-tagged and where the environment needs to examine only the first
tag (depending on the platform), administrators can either add the keyword
exact after the encapsulation priority-tagged or filter on the ethertype
field with encapsulation priority-tagged etype ipv4 , ipv6 .
For environments that do not have encapsulation priority-tagged assigned to
a service instance, to prevent packets that are tagged with dot1p at the
front of the headers from being forwarded, administrators can configure a
service instance that is not assigned to a bridge domain with encapsulation
priority-tagged.
Cisco IOS XR Software
For configurations that have an l2transport sub interface configured with
encapsulation dot1q|dot1ad priority-tagged and where the environment needs
to examine only the first tag (depending on the platform), administrators
can add the keyword exact after the encapsulation dot1q|dot1ad
priority-tagged.
For environments that do not have e ncapsulation dot1q|dot1ad
priority-tagged assigned to an l2transport sub interface, to prevent
packets that are tagged with dot1p at the front of the headers from being
forwarded, administrators can configure l2transport sub interfaces that are
not assigned to a bridge domain with encapsulation dot1q priority-tagged
and encapsulation dot1ad priority-tagged .
Cisco NX-OS Software
!
mac access-list drop_three_tags
deny any any 0x8100
deny any any 0x88a8
permit any any
!
interface ethernet 1/4
mac port access-group drop_three_tags
!
Cisco Small Business Switches
To ensure that FHS works correctly on access ports, install a MAC ACL to
deny only tagged frames (because they are not to be expected on an access
port) or to permit only ARP, IPv4, and IPv6 on all access ports. The
following is an example from the Cisco Sx250, 350, and 550 Series Smart
Switches and the Cisco Business 250 and 350 Series Smart Switches:
mac access-list extended arp-ip-ip6
permit any any 806 0000 ace-priority 1
permit any any 800 0000 ace-priority 2
permit any any 86dd 0000 ace-priority 3
CVE-2021-27861
The principle for mitigating CVE-2021-27861 is to drop any packets that
cannot have their Layer 3 protocol detected using a Layer 2 ACL.
The following are examples of Layer 2 ACLs that could be implemented on
access ports where FHP has been configured:
Cisco IOS Software - Switches
No mitigations or workarounds.
Cisco IOS XR Software
No mitigations or workarounds.
Cisco NX-OS Software
!
interface Ethernet1/3
switchport
switchport access vlan 5
mac port access-group drop_non
ipv6 nd raguard attach-policy HOSTS
!
interface Ethernet1/4
switchport
switchport access vlan 5
mac port access-group drop_non
ipv6 nd raguard attach-policy CSCvw92154
!
mac access-list drop_non
10 permit any any 0x86dd
20 permit any any ip
30 permit any any 0x806
35 permit any 0100.0ccc.cccc 0000.0000.0000
40 deny any any
!
Cisco Small Business Switches
No mitigations or workarounds.
While these workarounds have been deployed and were proven successful in a
test environment, customers should determine the applicability and
effectiveness in their own environment and under their own use conditions.
Customers should be aware that any workaround or mitigation that is
implemented may negatively impact the functionality or performance of their
network based on intrinsic customer deployment scenarios and limitations.
Customers should not deploy any workarounds or mitigations before first
evaluating the applicability to their own environment and any impact to
such environment.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
CVE-2021-27853
At the time of publication, the release information in the following table
was accurate. See the Details section in the bug ID(s) at the top of this
advisory for the most complete and current information.
Product Cisco Bug ID First Fixed Release
Cisco IOS XE Switches CSCvz91291 17.6.3
17.8.1
CVE-2021-27854
Cisco evaluated this vulnerability based on its impact on FHS features
configured on the access points. No impact was observed.
CVE-2021-27861
At the time of publication, Cisco had not released updates that address
this vulnerability for any Cisco product.
CVE-2021-27862
Cisco evaluated this vulnerability based on its impact on FHS features
configured on the access points. No impact was observed.
The Cisco PSIRT validates only the affected and fixed release information
that is documented in this advisory.
Exploitation and Public Announcements
o The Cisco PSIRT is aware that proof-of-concept exploit code is available
for the vulnerabilities that are described in this advisory.
The Cisco PSIRT is not aware of any malicious use of the vulnerabilities
that are described in this advisory.
Source
o Cisco would like to thank Etienne Champetier for reporting these
vulnerabilities and Cert/CC for the coordination.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-VU855201-J3z8CKTX
Revision History
o +---------+------------------------------+---------+--------+-------------+
| Version | Description | Section | Status | Date |
+---------+------------------------------+---------+--------+-------------+
| 1.1 | Corrected affected product | Details | Final | 2022-OCT-05 |
| | information. | | | |
+---------+------------------------------+---------+--------+-------------+
| 1.0 | Initial public release. | - | Final | 2022-SEP-27 |
+---------+------------------------------+---------+--------+-------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYz555ckNZI30y1K9AQjULQ/+LWk9ZRsTDVPtJGWQb6qhPPKz3sjkE/Rv
hk+6WE2GgJVnYmXgmNoFNZDHMYHkI6TcWq34O5zD/tVDw+x3PJfySQxLdpCLVo0E
n+HCQGSmRKZwjl7hTLsWPJwMtmzoUMDcPTj1Aq09uXYnhwXBMjEtJcYS0AmLdK2V
SrL6apCZWCEBtivzHASYtldx2PLM5dv2M60flCfpBOITMCC2tVPLWZb2koTHXqAu
DZKv6g8BZcG5/4LYz6KNV8lFUSoTkdSl0082LxUVJSok4mzcovL5riH/gXRYgKOF
nFTjwU8M29s9lNO/+UCU99HhIscKuJynTew1V85LbVfeKL2mUjNmpgUsYwC++5k/
PPeL+rCHwccwA7iOxpQ9nTUIT+iA8yVI+ocYP0E7Kv/x5MF7oC95CZAfym6+iv4d
pxTIoRxzkoEBftKKRrSgGEJrwtzflGw/UcRxF9kIGSR0PVjy2bY++mlL+niax+T+
FChQ5WbtFr689G+29vkCdsVgFcRnXeUFU1VqU+fVV2adkVQT9MfLLJtLUSnDsoVx
2Ho3NEF+JydGo1CcWm4l/LFBk1F5Rw95VDCDyEsZ3SattLZeKgng+Xd8/U/bVxvQ
rTTWePSz6KVyV818wJDw9zaSfC/wKyzeXsjwf2W+Y+QsUgSdzgP6FhbSlN2595cI
WvTLErnJPcA=
=umeB
-----END PGP SIGNATURE-----