Cisco IOS Software for Catalyst 2960-L Series Switches and Catalyst CDB-8P Switches 802.1X Authentication Bypass Vulnerability

Vulnerability

A vulnerability in the 802.1X feature of Cisco Catalyst 2960-L Series Switches (running Cisco IOS Software) and Cisco Catalyst CDB-8P Switches allows an unauthenticated, adjacent attacker to bypass port-based authentication. The flaw exists because broadcast traffic received on an 802.1X-enabled port before authentication completes is mishandled, allowing the traffic to be forwarded [1]. Affected devices include Cisco Catalyst 2960-L Series Switches and Catalyst CDB-8P Switches running vulnerable Cisco IOS Software releases [1].

Exploitation

An unauthenticated attacker with physical or logical adjacency to the victim network can exploit this vulnerability by sending broadcast traffic to an 802.1X-enabled port before being authenticated [1]. No prior authentication or user interaction is required; the attacker simply needs to connect to a port configured for 802.1X and send broadcast frames before the authentication process completes.

Impact

A successful exploit allows the attacker to send and receive broadcast traffic on the 802.1X-enabled port before authentication, effectively bypassing the port security controls [1]. While this does not grant full network access, it enables the attacker to participate in broadcast-based protocols (e.g., ARP, DHCP) and potentially enumerate other hosts or launch further attacks, such as man-in-the-middle or denial-of-service, from an unauthenticated position.

Mitigation

Cisco has released fixed software versions as described in the Security Advisory [1]. Customers should upgrade to the earliest fixed release identified via the Cisco Software Checker tool [1]. No workarounds are mentioned in the advisory; the recommended mitigation is to apply the appropriate software update [1].