CVE-2021-27861 Filtering on IPv6 Routing and Addressing can be bypassed using invalid LLC/SNAP headers and VLAN0 headers.

or forged with a forged header of your choice (such as an ICMP error or ARP request). The forged packet is accepted by the next hop and sent out of the other interface, where it will be received and forwarded through your network. This can be used to bypass access control lists, masquerading, and firewalling. Most network devices use a default administrative distance of 1 for receiving packets and a default of 0 for sending packets; this means that by default, a receiving device will accept and forward any packet except for a forged ARP reply. Routers usually have several access control lists (ACLs) configured, which can be used to prevent the injection of certain types of packets. For example, you may want to prevent the injection of ICMP echo requests so that the forged ICMP echo reply does not reach the intended target. Typically, the ARP protocol is enabled on all devices, so by default, all devices will accept ARP requests. By default, all devices will also accept ARP replies. Access control lists can be configured to prevent the acceptance of ARP requests if they match any of the ARP ACLs. An access list can be configured to prevent the reception of ARP replies if they match any of the ARP ACLs. By disabling ARP, you will prevent any communication between hosts using ARP and prevent the forwarding of any forged ARP replies. Setting the ARP option on the device will prevent the receipt of ARP replies

Disable ARP on the device

Setting the ARP option on the device will prevent the receipt of ARP replies. Unless you need to use ARP on a device, or you want to configure your router to allow hosts to communicate using ARP, it’s best to disable it.

ICMP Error Messages and Exceptions

ICMP error messages and exceptions can also be forged, as they are generally accepted by all devices. Generally, all devices will accept ICMP echo requests and replies; however, those messages may be blocked by the device’s access control list if they match any of the ACLs configured on it.

Disabling ARP

If these devices are not configured with an ARP ACL, then they will accept any forged ARP request and allow your attacker to spoof any address on the network. If you’re using a switch or router that does not have the ARP option enabled, it is possible for your attacker to exploit this vulnerability. So, in order to prevent this attack from occurring, you should disable ARP on all devices that do not need it by setting their ARP option to 0.  Setting the ARP option on the device will prevent the receipt of ARP replies. This can be done through configuration or by using the command "arp -noarp" from interface configuration mode (see below).

How to Bypass ARP with ARP Poisoning

ARP is a layer 2 protocol used to transmit information about the hardware and software on a computer. It is similar to the routing tables that are built by routers. The ARP protocol allows for computers to communicate with each other using a device-to-device network.
The ARP protocol can be used to perform an ARP poisoning attack with forged ARP packets. The forged packets are accepted by the next hop and sent out of the other interface, where they will be received and forwarded through your network. This can be used to bypass access control lists, masquerading, and firewalling. For example, you may choose to use this method if you want to prevent the forwarding of some types of packets from your router.

How to reduce ARP cache attacks

If you're using a device with an ARP option and you want to reduce the risk of ARP cache attacks, two options exist. You can disable ARP or you can configure access lists to deny ARP packets.
Disabling ARP will prevent any communication between hosts using ARP and prevent the forwarding of any forged ARP replies. Setting the ARP option on the device will prevent the receipt of ARP replies.

Timeline

Published on: 09/27/2022 19:15:00 UTC
Last modified on: 10/12/2022 13:15:00 UTC

References