The following article references a VLAN stacking flaw affecting Cisco, Juniper and other vendor devices, are RouterOS ‘in software bridging’ or hardware offloaded bridge configurations at risk as well?
The four vulnerabilities are:
CVE-2021-27853 Layer 2 network filtering capabilities such as IPv6 RA guard or ARP inspection can be bypassed using combinations of VLAN 0 headers and LLC/SNAP headers.
CVE-2021-27854 Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using combinations of VLAN 0 headers, LLC/SNAP headers in Ethernet to Wifi frame translation, and the reverse Wifi to Ethernet.
CVE-2021-27861 Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length (and optionally VLAN0 headers).
CVE-2021-27862 Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length and Ethernet to Wifi frame conversion (and optionally VLAN0 headers).
why the link written on this way? (without spaces?)
https:// www. google .com /amp/s/ www. b le e ping computer. com/news/security/ethernet-vlan-stacking-flaws-let-hackers-launch-dos-mitm-attacks/amp/
some form of clickbait for gain some money?
On that s–t’s
b le e ping computer. com
if I don’t want to agree to all that privacy s–t, I have to spend 20 minutes disabling everything,
because those assholes didn’t put “reject all”, but there are tons of voices to disable one by one…
IPv6 RA guard is NEVER implemented on MikroTik, SO, WHY THAT CLICKBAIT???
Next time you discover another bug on the windows stack, you open another post asking also if RouterOS is affected?
All these clickbait vulnerabilities are just forcing “network administrators” to retire old hardware that some vendors don’t want to patch anymore, and get newer ones that are getting the fix.
More used, still good switches on the market, everyone is happy.
Apologies for the Google link, posted this question from my mobile after it came up in my feed. If both Cisco and Juniper’s network stacks exempt certain processing, such as STP BPDU guard, root guard when a packet is transmitted with a zero VLAN it could very easily also affect in hardware bridging on the Marvel chipsets that the CRS devices use.
If an attacker got so close that he can mess with your equipment at a so low layer, you’re screwed anyway.
Make some tests, see if they are vulnerable ¯_(ツ)_/¯
Or raise a support ticket.
Unfortunately couldn’t find a way of implementing IPv6 RA Guard (rfc6105) so I hacked switch rules and bridge filters together to achieve the desired results.
