CVE-2021-27853

L2 network filtering can be bypassed using stacked VLAN0 and LLC/SNAP headers

CVSS 4.7 MEDIUMEPSS 0.7%CWE-290

In short

Network filtering systems that check Layer 2 traffic can be bypassed by crafting packets with stacked VLAN 0 headers combined with LLC/SNAP headers. This allows attackers to send dangerous traffic (like IPv6 router advertisements or ARP spoofing) that security tools fail to detect.

Technical detail

Layer 2 filtering mechanisms (IPv6 RA Guard, ARP inspection) fail to properly validate packets containing nested VLAN 0 tags paired with LLC/SNAP encapsulation, allowing bypass via crafted Layer 2 frames. An attacker on the local network segment can exploit this to inject undetected ARP or IPv6 RA packets, potentially enabling man-in-the-middle or denial-of-service attacks.

Summary generated and translated by AI from the official description.

Layer 2 network filtering capabilities such as IPv6 RA guard or ARP inspection can be bypassed using combinations of VLAN 0 headers and LLC/SNAP headers.

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Affected products

IEEE · 802.2 IETF · draft-ietf-v6ops-ra-guard IETF · P802.1Q

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://blog.champtar.fr/VLAN0_LLC_SNAP/https://datatracker.ietf.org/doc/draft-ietf-v6ops-ra-guard/08/https://kb.cert.org/vuls/id/855201 https://standards.ieee.org/ieee/802.1Q/10323/https://standards.ieee.org/ieee/802.2/1048/https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-VU855201-J3z8CKTX https://www.kb.cert.org/vuls/id/855201