Mon May 03, 2021 3:31 pm
Can't say anything about TP link gear. MT (most probably) can't be exploted this way, at least if bridge vlan-filtering is used (some HW offloaded VLAN setup might be vulnerable but it very much depends on how switch chip operates - I'm not going to study that now) ... if set up properly.
The thing is that there is no "native VLAN" in MT bridge world. So either frame is tagged on ingress and tag remains (tagged ports or hybrid ports for tagged frames) or is not tagged and port adds tag according to PVID (access ports or hybrid ports for untagged frames). In both cases it is important to aporopriately set property frame-types=<setting> and set ingress-filtering=yes ... both properties are often forgotten. If both are set correctly, it is almost impossible to get into double-tagging. AFAIK the only possibility for that to happen is if attacker crafts frame tagged with different type of VLAN tags (e.g. 802.1ax - service tags vs. 802.1q - usual VLAN tags) and MT device will then apply 802.1q tag with PVID ... but that doesn't help the attacker as MT device adds tag on ingress (and removes it on egress) whereas attacker wants that frame is passed intact on ingress and be untagged on egress.
Last edited by
mkx on Tue May 04, 2021 2:52 pm, edited 1 time in total.