Feature and severity: VLAN interfaces attached to a parent bridge interface, admin portal access. Severity: High.
Summary: From a device connected to a VLAN interface in its own non-privileged zone, attached to a parent bridge in the LAN zone, operator is able to login to admin portal of the XG.
Observed behavior: The operator has an IP address in the VLANed interface IP space which is assigned a non-privileged zone. The operator can login to the admin portal by using the primary bridge interface IP, as if it was itself in the LAN zone.
Desired: The operation should not be possible, the operator should not be able to access the portal or ping it, unless access is either explicitly given for that zone in the Device Access page, or firewall rules are in place to allow traffic from the VLANed interface/zone to the parent bridged interface/zone.
Reproduce it: Reset to factory defaults, create a new zone and make sure it does not have Admin Portal checked in Device Access. Create a VLAN interface off of the default br0 bridge, assign that interface to the zone just created. Set a DHCP scope for that VLANed interface. Setup a switch so that a computer is only able to go on the corresponding VLAN. Confirm the computer is only getting a DHCP address from that VLAN. Open the Admin portal using the bridge LAN gateway IP. Nothing stops the operator from connecting and login in.
Supporting logs: A packet capture from the XG itself (via UI) shows that all those packets (from VLANed zone IP to LAN IP gateway on port 4444) are marked with Rule 0, yet the packets are routed to their destination.
Further tests: I did not try to access actual devices on the LAN zone from a device on the VLANed zone so I do not know if the behavior is only affecting the Admin Portal or all traffic passing through.
I have included a backup of my test environment. The admin password is Password1 and the backup password is Password2019. This is for a XG 115.
Thanks,
Christian
Backup_C190A2RQ6RW3214_12Nov2019_16.48.50 - Test env.bkp.zip