CVE-2021-27861

L2 network filtering bypass using stacked VLAN0 and LLC/SNAP headers with invalid lengths

CVSS 4.7 MEDIUMEPSS 0.6%CWE-130 CWE-290

In short

Network devices that filter Layer 2 traffic (like IPv6 RA guard) can be bypassed by crafting packets with malformed LLC/SNAP headers and optional VLAN0 tags. This allows an attacker to send traffic that should have been blocked.

Technical detail

CVE-2021-27861 exploits improper validation of LLC/SNAP header lengths in Layer 2 filtering mechanisms; by sending packets with invalid lengths and stacked VLAN0 headers, an attacker can bypass security controls like IPv6 RA guard. The vulnerability requires network access to send crafted frames and affects devices relying on L2 packet inspection without proper header validation.

Summary generated and translated by AI from the official description.

Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length (and optionally VLAN0 headers)

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Affected products

IEEE · 802.2 IETF · draft-ietf-v6ops-ra-guard IETF · P802.1Q

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://blog.champtar.fr/VLAN0_LLC_SNAP/https://datatracker.ietf.org/doc/draft-ietf-v6ops-ra-guard/08/https://kb.cert.org/vuls/id/855201 https://standards.ieee.org/ieee/802.1Q/10323/https://standards.ieee.org/ieee/802.2/1048/https://www.kb.cert.org/vuls/id/855201