Headline
CVE-2022-20728: Cisco Security Advisory: Cisco Access Points VLAN Bypass from Native VLAN Vulnerability
A vulnerability in the client forwarding code of multiple Cisco Access Points (APs) could allow an unauthenticated, adjacent attacker to inject packets from the native VLAN to clients within nonnative VLANs on an affected device. This vulnerability is due to a logic error on the AP that forwards packets that are destined to a wireless client if they are received on the native VLAN. An attacker could exploit this vulnerability by obtaining access to the native VLAN and directing traffic directly to the client through their MAC/IP combination. A successful exploit could allow the attacker to bypass VLAN separation and potentially also bypass any Layer 3 protection mechanisms that are deployed.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Fixed Releases
At the time of publication, the release information in the following table(s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
The left column lists Cisco software releases, and the right column indicates whether a release was affected by the vulnerability that is described in this advisory and which release included the fix for this vulnerability.
Access Points Managed by Wireless LAN Controller
Cisco Wireless LAN Controller Software Release
First Fixed Release
8.5 and earlier
Migrate to a fixed release.
8.10
8.10MR8
**Access Points Managed by Catalyst 9800 Wireless Controller**
Cisco Catalyst 9800 Wireless Controller Software Release
First Fixed Release
17.2 and earlier
Migrate to a fixed release.
17.3
Migrate to 17.3.6 and apply APSP patch (APSP patch no. TBD)
17.4
Migrate to a fixed release.
17.5
Migrate to a fixed release.
17.6
17.6.2
17.7 and later
Not affected.
The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.