VLAN Hopping Vulnerability

VLAN hopping is a vulnerability that can be leveraged by an attacker to gain access to networked resources on another virtual LAN (VLAN) that would normally not be accessible. Two methods of exploiting this vulnerability are switch spoofing and double tagging.

Take the following diagram as an example, the attacker is in Cisco default VLAN 1 and the target Secure Server is in VLAN 2. For the Attacker to reach the Secure Server, this traffic would need to be sent via a layer 3 device for onward routing towards VLAN 2. In this example, the layer 3 device has an access policy applied which denies access to VLAN 2 from all VLAN 1 sources so would simply discard the traffic.

Double Tagging

Double tagging leverages the native VLAN which is sent “untagged” across 802.1Q trunk links. By crafting a false VLAN tag, the attacker is able to send unidirectional traffic directly to the Secure Server in VLAN 2 bypassing the layer 3 filtering device. The attacker adds two VLAN tags to the frames that are sent with the first tag being VLAN 1 (native) and the second tag being VLAN 2 (server VLAN). The initial switch receives the traffic but can only perform one level of decapsulation. The initial tag matches the native VLAN 1 and is stripped off to send “untagged” but the second tag of VLAN 2 is maintained. The next switch receives the traffic, removes VLAN 2 tag and sends directly to the layer 2 destination Secure Server. Note, this can only work if the attacker is in the same VLAN as the 802.1Q native. 

Mitigation

Preventing double tagging attacks is easily achieved by changing Cisco default configurations.

1)     Never use default VLAN 1, ensure all resources are placed into a custom VLAN.

switch(config-if)# switchport access vlan <vlan id>

2)     Set the native VLAN of all trunk links to an unused VLAN.

switch(config-if)# switchport trunk native vlan <vlan id>

3)     Disable untagging of native VLAN and force it to be tagged.

switch(config)# vlan dot1q tag native

Switch Spoofing

Hosts will generally be connected to an access port which has visibility of traffic within its own VLAN only. However, trunk ports are used to carry traffic from multiple VLANs as described above. Cisco use Dynamic Trunking Protocol (DTP) to build trunk links between switches which carry traffic from multiple VLANs. DTP uses an exchange of messages in order to automatically negotiate a trunk connection with the attached switch. An attacker can easily craft DTP messages to fool the switch into negotiating a trunk connection with a rogue PC if an insecure configuration has been applied. Once the trunk link has been formed with a rogue PC, the attacker then has the ability to sniff traffic across all VLANs.  

Mitigation

Preventing this exploit is simply achieved by disabling DTP and ensuring all user ports are configured as access ports.

1)     Disable DTP to prevent automatic negotiation of trunk link.

switch(config-if)# switchport nonegotiate

2)     Force all users ports into access port operation so trunks cannot be established.

switch(config)# switchport mode access