Community discussions

MikroTik App
 
bbs2web
Member Candidate
Member Candidate
Topic Author
Posts: 232
Joined: Sun Apr 22, 2012 6:25 pm
Location: Johannesburg, South Africa
Contact:

another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?

Fri Sep 30, 2022 8:31 am

The following article references a VLAN stacking flaw affecting Cisco, Juniper and other vendor devices, are RouterOS 'in software bridging' or hardware offloaded bridge configurations at risk as well?

<CENSORED>

The four vulnerabilities are:
  • CVE-2021-27853 Layer 2 network filtering capabilities such as IPv6 RA guard or ARP inspection can be bypassed using combinations of VLAN 0 headers and LLC/SNAP headers.
  • CVE-2021-27854 Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using combinations of VLAN 0 headers, LLC/SNAP headers in Ethernet to Wifi frame translation, and the reverse Wifi to Ethernet.
  • CVE-2021-27861 Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length (and optionally VLAN0 headers).
  • CVE-2021-27862 Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length and Ethernet to Wifi frame conversion (and optionally VLAN0 headers).
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?

Sat Oct 01, 2022 11:40 am

why the link written on this way? (without spaces?)

https:// www. google .com /amp/s/ www. b le e ping computer. com/news/security/ethernet-vlan-stacking-flaws-let-hackers-launch-dos-mitm-attacks/amp/

some form of clickbait for gain some money?

On that s–t's
b le e ping computer. com
if I don't want to agree to all that privacy s–t, I have to spend 20 minutes disabling everything,
because those assholes didn't put "reject all", but there are tons of voices to disable one by one...

IPv6 RA guard is NEVER implemented on MikroTik, SO, WHY THAT CLICKBAIT???

Next time you discover another bug on the windows stack, you open another post asking also if RouterOS is affected?
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?

Sat Oct 01, 2022 12:09 pm

All these clickbait vulnerabilities are just forcing "network administrators" to retire old hardware that some vendors don't want to patch anymore, and get newer ones that are getting the fix.
More used, still good switches on the market, everyone is happy.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?

Sat Oct 01, 2022 12:12 pm

You're right, some "network administrators" who don't know how to use them correctly, do well to give them away...
A half solution to chips shortage... :lol: :lol: :lol:
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?

Sat Oct 01, 2022 12:37 pm

If you put up a link, have atleast the decency to remove all Google tracking shit!
https://www.bleepingcomputer.com/news/security/ethernet-vlan-stacking-flaws-let-hackers-launch-dos-mitm-attacks/
 
bbs2web
Member Candidate
Member Candidate
Topic Author
Posts: 232
Joined: Sun Apr 22, 2012 6:25 pm
Location: Johannesburg, South Africa
Contact:

Re: another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?

Mon Oct 03, 2022 9:53 pm

Wow guys, having a bad day?

Apologies for the Google link, posted this question from my mobile after it came up in my feed. If both Cisco and Juniper's network stacks exempt certain processing, such as STP BPDU guard, root guard when a packet is transmitted with a zero VLAN it could very easily also affect in hardware bridging on the Marvel chipsets that the CRS devices use.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?

Mon Oct 03, 2022 10:09 pm

If an attacker got so close that he can mess with your equipment at a so low layer, you're screwed anyway.
Make some tests, see if they are vulnerable ¯\_(ツ)_/¯
Or raise a support ticket.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?

Mon Oct 03, 2022 11:03 pm

Wow guys, having a bad day?

Apologies for the Google link, posted this question from my mobile after it came up in my feed.
It was not mainly directed at you.....
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?

Mon Oct 03, 2022 11:22 pm

It was not mainly directed at you.....
The "fragmented" link on my post is the one that was originally written (unfragmented and clickable) by @bbs2web in the <CENSORED> part of his post.

I thought that sentence was for him, not for me, but the link is not mine, I purposely removed it because it was uselessly passing through Google.
 
bbs2web
Member Candidate
Member Candidate
Topic Author
Posts: 232
Joined: Sun Apr 22, 2012 6:25 pm
Location: Johannesburg, South Africa
Contact:

Re: another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?

Wed Oct 19, 2022 12:24 am

Unfortunately couldn't find a way of implementing IPv6 RA Guard (rfc6105) so I hacked switch rules and bridge filters together to achieve the desired results.

CRS - Hardware offloaded (MC-LAG compatible) bridge with IPv6 Router Advertisement (RA) Guard:
viewtopic.php?t=190101

PS: Shouldn't be susceptible to VLAN priority tag attacks.

Who is online

Users browsing this forum: No registered users and 15 guests