-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Response: Cisco VLAN Trunking Protocol
Vulnerabilities
============================================================
=========
Response ID: cisco-sr-20060913-vtp.shtml
http://www.cisco.com/warp/public/707/cisco-sr-20
060913-vtp.shtml
Revision 1.0
============
For Public Release 2006 September 13 1700 UTC (GMT)
+-----------------------------------------------------------
---------
Contents
========
Cisco Response
Additional Information
Revision History
Cisco Security Procedures
+-----------------------------------------------------------
---------
Cisco Response
==============
This is a Cisco response to an advisory published by FX of
Phenoelit
posted as of September 13, 2006 at:
http://www.securityfocus.com/archive/1/445896/30/0/th
readed,
and entitled "Cisco Systems IOS VTP multiple
vulnerabilities".
These vulnerabilities are addressed by Cisco bug IDs:
* CSCsd52629/CSCsd34759 -- VTP version field DoS
* CSCse40078/CSCse47765 -- Integer Wrap in VTP revision
* CSCsd34855/CSCei54611 -- Buffer Overflow in VTP VLAN
name
We would like to thank FX and Phenoelit Group for reporting
these
vulnerabilities to us. We greatly appreciate the opportunity
to work
with researchers on security vulnerabilities, and welcome
the
opportunity to review and assist in security vulnerability
reports
against Cisco products.
Additional Information
======================
VLAN Trunking Protocol (VTP) is a Layer 2 messaging protocol
that
maintains VLAN configuration consistency by managing the
addition,
deletion, and renaming of VLANs on a network-wide basis.
When you
configure a new VLAN on one VTP server, the VLAN
configuration
information is distributed via the VTP protocol through all
switches
in the domain. This reduces the need to configure the same
VLAN
everywhere. VTP is a Cisco-proprietary protocol that is
available on
most of the Cisco Catalyst series products in both Cisco IOS
and
Cisco CatOS system software.
Products affected by these vulnerabilities:
+------------------------------------------
* Switches running affected versions of Cisco IOS and have
VTP
Operating Mode as either "server" or
"client" are affected by all
three vulnerabilities.
* Switches running affected versions of Cisco CatOS and
have VTP
Operating Mode as either "server" or
"client" are only affected
by "Integer Wrap in VTP revision"
vulnerability.
Products not affected by these vulnerabilities:
+----------------------------------------------
* Switches configured with VTP operating mode as
"transparent".
* Switches running CatOS with VTP Operating Mode as either
"server"
or "client" are not affected by
"Buffer Overflow in VTP VLAN
name" or "VTP Version field DoS"
vulnerabilities
To determine the VTP mode on the switch, log into the device
and
issue the "show vtp status" (IOS) or "show
vtp domain" (CatOS)
command. Switches that show either "Server" or
"Client" as the VTP
operating mode are affected by these vulnerabilities.
An example is shown below for Cisco IOS with VTP operating
in
"Server" mode:
ios_switch#sh vtp stat
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : test
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : <removed>
Configuration last modified by 0.0.0.0 at 3-1-93
04:02:09
ios_switch#
An example is shown below for Cisco CatOS with VTP operating
in
"Server" mode:
catos_switch> (enable) sh vtp domain
Version : running VTP1 (VTP3 capable)
Domain Name : test Password : not
configured
Notifications: disabled Updater ID: 0.0.0.0
Feature Mode Revision
-------------- -------------- -----------
VLAN Server 2
Pruning : disabled
VLANs prune eligible: 2-1000
catos_switch> (enable)
* VTP Version field DoS:
The VTP feature in certain versions of Cisco IOS
software may be
vulnerable to a crafted packet sent from the local
network
segment which may lead to a denial of service condition.
When a
switch receives a specially crafted VTP summary packet,
the
switch will reset with a Software Forced Crash
Exception.
Messages for either "watchdog timeout" or
"CPU hog" for process
VLAN Manager will be seen prior to the software reset
within the
syslog messages generated by the switch.
The packets must be received on a trunk enabled port.
Switches running CatOS are not affected by this
vulnerability and
will display a log message "%VTP-2-RXINVSUMMARY:rx
invalid
summary from [port number]" should a specially
crafted summary
packet be received.
There are no workarounds for this vulnerability.
Switches
configured with a VTP domain password are still affected
by this
vulnerability. Cisco recommends that customer upgrade to
a
version of Cisco IOS that contains the fixes for either
CSCsd52629 or CSCsd34759.
* Buffer Overflow in VTP VLAN name:
The VTP feature in certain versions of Cisco IOS
software is
vulnerable to a buffer overflow condition and potential
execution
of arbitrary code. If a VTP summary advertisement is
received
with a Type-Length-Value (TLV) containing a VLAN name
greater
than 100 characters, the receiving switch will reset
with an
Unassigned Exception error. The packets must be received
on a
trunk enabled port, with a matching domain name and a
matching
VTP domain password (if configured).
Applying a VTP domain password to the VTP domain will
prevent
spoofed VTP summary advertisement message from
advertising an
incorrect VLAN name. See http://www.c
isco.com/univercd/cc/td/doc/
product/lan/c3550/12119ea1/3550scg/swvtp.htm#1035247 for
further
information on setting VTP domain passwords.
* Integer Wrap in VTP revision:
The VTP feature in certain versions of Cisco IOS
software and
Cisco CatOS software will display statistic counters as
a
negative number due to an integer wrap. Normal VTP
operation will
occur if no changes are made within the VTP domain. With
the
addition of switches or resetting of a VTP server
configuration
revision, VTP updates potentially may not be processed
by other
VTP servers/clients within the domain. Should any
switches be
impacted by this vulnerability, customers should execute
the
recovery procedures as listed below.
Once the VTP configuration revision exceeds 0x7FFFFFFF,
the
output for the VTP configuration revision in "show
vtp status"
(IOS) or "show vtp domain" (CatOS) will
display as a negative
number. Operation of the switch is not affected, however
further
changes to the VLAN database may not be properly
propagated
throughout the VTP domain.
Example from Cisco IOS:
ios_switch#sh vtp stat
VTP Version : 2
Configuration Revision : -2147483648
Maximum VLANs supported locally : 1005
Number of existing VLANs : 17
VTP Operating Mode : Client
VTP Domain Name : psirt
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : <removed>
Configuration last modified by 0.0.0.0 at 3-1-93
00:10:07
ios_switch#
Example from Cisco CatOS:
catos_switch# (enable) sh vtp domain
Version : running VTP1 (VTP3 capable)
Domain Name : psirt Password : not
configured
Notifications: disabled Updater ID: 0.0.0.0
Feature Mode Revision
-------------- -------------- -----------
VLAN Server -2147483648
Pruning : disabled
VLANs prune eligible: 2-1000
Applying a VTP domain password to the VTP domain will
prevent
spoofed VTP summary advertisement messages from
advertising
0x7FFFFFFF as a configuration revision number. See
http://
www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12119ea1/
3550scg/swvtp.htm#1035247 for further information on
setting VTP
domain passwords
To recover from the negative configuration revision due
to
exploitation, the following methods can be performed to
recover
the VTP domain operations:
* Change VTP domain names on all switches.
* Change all VTP servers/clients to transparent mode
first. Then
change back to their original server/client mode.
For further information on VTP please refer to:
http://w
ww.cisco.com/warp/public/473/21.html
For further information on Layer 2 security practices please
refer
to:
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns
128/
networking_solutions_white_paper09186a008014870f.shtml#wp998
892
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS
AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF
THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE
DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR
UPDATE THIS
DOCUMENT AT ANY TIME.
Revision History
================
+-----------------------------------------------------------
+
| Revision 1.0 | 2006-September-13 | Initial public release
|
+-----------------------------------------------------------
+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is
available
on Cisco's worldwide website at
http://www.cisco.com/en/US/produ
cts/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco
security notices. All Cisco security advisories are
available at
http://www.cisco.com/g
o/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (SunOS)
iD8DBQFFCEg98NUAbBmDaxQRAt2GAKCxKyMSO3hVrbJBv7ydndZ7rQgZ/QCg
pSu+
qbKHcDMSTtHi1KW2QSPV+A8=
=OBcn
-----END PGP SIGNATURE-----
|