ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: Cisco IOS VTP issues-2



> -----Original Message-----
> From: psirt@xxxxxxxxx [mailto:psirt@xxxxxxxxx] 
> Sent: Wednesday, September 13, 2006 10:27 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Re: Cisco IOS VTP issues
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello,
> This is a Cisco response to an advisory published by FX of Phenoelit
> posted as of September 13, 2006 at: 
> http://www.securityfocus.com/archive/1/445896/30/0/threaded
> and entitled "Cisco Systems IOS VTP multiple vulnerabilities".
> 
> An official response is located at:
> http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml
> 
> These vulnerabilities are addressed by Cisco bug IDs:
> 
>   * CSCsd52629/CSCsd34759 -- VTP version field DoS
>    
>   * CSCse40078/CSCse47765 -- Integer Wrap in VTP revision
>    
>   * CSCsd34855/CSCei54611 -- Buffer Overflow in VTP VLAN name
>    
> We would like to thank FX and Phenoelit Group for reporting these
> vulnerabilities to us. We greatly appreciate the opportunity to work
> with researchers on security vulnerabilities, and welcome the
> opportunity to review and assist in security vulnerability reports
> against Cisco products.
> 
> Additional Information
> ======================
> 
> VLAN Trunking Protocol (VTP) is a Layer 2 messaging protocol that
> maintains VLAN configuration consistency by managing the addition,
> deletion, and renaming of VLANs on a network-wide basis. When you
> configure a new VLAN on one VTP server, the VLAN configuration
> information is distributed via the VTP protocol through all switches
> in the domain. This reduces the need to configure the same VLAN
> everywhere. VTP is a Cisco-proprietary protocol that is available on
> most of the Cisco Catalyst series products in both Cisco IOS and
> Cisco CatOS system software.
> 
> Products affected by these vulnerabilities:
> +------------------------------------------
> 
>   * Switches running affected versions of Cisco IOS and have VTP
>     Operating Mode as either "server" or "client" are affected by all
>     three vulnerabilities.
>   * Switches running affected versions of Cisco CatOS and have VTP
>     Operating Mode as either "server" or "client" are only affected
>     by "Integer Wrap in VTP revision" vulnerability.
> 
> Products not affected by these vulnerabilities:
> +----------------------------------------------
> 
>   * Switches configured with VTP operating mode as "transparent".
>   * Switches running CatOS with VTP Operating Mode as either "server"
>     or "client" are not affected by "Buffer Overflow in VTP VLAN
>     name" or "VTP Version field DoS" vulnerabilities
> 
> To determine the VTP mode on the switch, log into the device and
> issue the "show vtp status" (IOS) or "show vtp domain" (CatOS) 
> command.  Switches that show either "Server" or "Client" as the VTP
> operating mode are affected by these vulnerabilities.
> 
> An example is shown below for Cisco IOS with VTP operating in
> "Server" mode:
>     
>     ios_switch#sh vtp stat  
>     VTP Version                     : 2
>     Configuration Revision          : 0
>     Maximum VLANs supported locally : 1005
>     Number of existing VLANs        : 5
>     VTP Operating Mode              : Server
>     VTP Domain Name                 : test
>     VTP Pruning Mode                : Disabled
>     VTP V2 Mode                     : Enabled
>     VTP Traps Generation            : Disabled
>     MD5 digest                      : <removed> 
>     Configuration last modified by 0.0.0.0 at 3-1-93 04:02:09
>     ios_switch#
> 
> An example is shown below for Cisco CatOS with VTP operating in
> "Server" mode:
>     
>     catos_switch> (enable) sh vtp domain
>     Version      : running VTP1 (VTP3 capable)
>     Domain Name  : test              Password  : not configured
>     Notifications: disabled          Updater ID: 0.0.0.0
>     
>     Feature        Mode           Revision
>     -------------- -------------- -----------
>     VLAN           Server         2          
>     
>     Pruning             : disabled
>     VLANs prune eligible: 2-1000
>     catos_switch> (enable) 
>     
> 
>   * VTP Version field DoS:
>    
>     The VTP feature in certain versions of Cisco IOS software may be
>     vulnerable to a crafted packet sent from the local network
>     segment which may lead to a denial of service condition. When a
>     switch receives a specially crafted VTP summary packet, the 
>     switch will reset with a Software Forced Crash Exception. 
>     Messages for either "watchdog timeout" or "CPU hog" for process
>     VLAN Manager will be seen prior to the software reset within the
>     syslog messages generated by the switch.
>     The packets must be received on a trunk enabled port.
>  
>     Switches running CatOS are not affected by this vulnerability and
>     will display a log message "%VTP-2-RXINVSUMMARY:rx invalid
>     summary from [port number]" should a specially crafted summary
>     packet be received.
> 
>     There are no workarounds for this vulnerability. Switches
>     configured with a VTP domain password are still affected by this
>     vulnerability. Cisco recommends that customer upgrade to a
>     version of Cisco IOS that contains the fixes for either 
>     CSCsd52629 or CSCsd34759.
> 
>   * Buffer Overflow in VTP VLAN name:
>    
>     The VTP feature in certain versions of Cisco IOS software is
>     vulnerable to a buffer overflow condition and potential execution
>     of arbitrary code. If a VTP summary advertisement is received
>     with a Type-Length-Value (TLV) containing a VLAN name greater
>     than 100 characters, the receiving switch will reset with an
>     Unassigned Exception error. The packets must be received on a
>     trunk enabled port, with a matching domain name and a matching
>     VTP domain password (if configured).
> 
>     Applying a VTP domain password to the VTP domain will prevent
>     spoofed VTP summary advertisement message from advertising an
>     incorrect VLAN name. See http://www.cisco.com/univercd/cc/td/doc/
>     product/lan/c3550/12119ea1/3550scg/swvtp.htm#1035247 for further
>     information on setting VTP domain passwords.
> 
>   * Integer Wrap in VTP revision:
>    
>     The VTP feature in certain versions of Cisco IOS software and
>     Cisco CatOS software will display statistic counters as a
>     negative number due to an integer wrap. Normal VTP operation will
>     occur if no changes are made within the VTP domain. With the 
>     addition of switches or resetting of a VTP server configuration 
>     revision, VTP updates potentially may not be processed by other
>     VTP servers/clients within the domain. Should any switches be 
>     impacted by this vulnerability, customers should execute the
>     recovery procedures as listed below.
>    
>     Once the VTP configuration revision exceeds 0x7FFFFFFF, the
>     output for the VTP configuration revision in "show vtp status"
>     (IOS) or "show vtp domain" (CatOS) will display as a negative
>     number. Operation of the switch is not affected, however further
>     changes to the VLAN database may not be properly propagated
>     throughout the VTP domain.
>    
>     Example from Cisco IOS:
>    
>         ios_switch#sh vtp stat
>         VTP Version                     : 2
>         Configuration Revision          : -2147483648
>         Maximum VLANs supported locally : 1005
>         Number of existing VLANs        : 17
>         VTP Operating Mode              : Client
>         VTP Domain Name                 : psirt
>         VTP Pruning Mode                : Disabled
>         VTP V2 Mode                     : Disabled
>         VTP Traps Generation            : Disabled
>         MD5 digest                      : <removed> 
>         Configuration last modified by 0.0.0.0 at 3-1-93 00:10:07
>         ios_switch#
>    
>     Example from Cisco CatOS:
>    
>         catos_switch# (enable) sh vtp domain
>         Version      : running VTP1 (VTP3 capable)
>         Domain Name  : psirt             Password  : not configured
>         Notifications: disabled          Updater ID: 0.0.0.0
>         
>         Feature        Mode           Revision
>         -------------- -------------- -----------
>         VLAN           Server         -2147483648
>         
>         Pruning             : disabled
>         VLANs prune eligible: 2-1000
>    
>     Applying a VTP domain password to the VTP domain will prevent
>     spoofed VTP summary advertisement messages from advertising
>     0x7FFFFFFF as a configuration revision number. See http://
>     www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12119ea1/
>     3550scg/swvtp.htm#1035247 for further information on setting VTP
>     domain passwords
>    
>     To recover from the negative configuration revision due to
>     exploitation, the following methods can be performed to recover
>     the VTP domain operations:
>    
>     * Change VTP domain names on all switches.
>    
>     * Change all VTP servers/clients to transparent mode first. Then
>       change back to their original server/client mode.
>    
> 
> For further information on VTP please refer to: 
> http://www.cisco.com/warp/public/473/21.html
> 
> For further information on Layer 2 security practices please refer
> to: 
> http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/
> networking_solutions_white_paper09186a008014870f.shtml#wp998892
> 
> Regards
> Paul Oxman
> PSIRT Incident Manager
> Cisco Systems 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (SunOS)
> 
> iD8DBQFFCE4G8NUAbBmDaxQRAuIDAJ9t5ReIlSTSbag3CAIwZkaeX03BiQCdECvp
> guqCOs3Ye94iIwOSl/m4Ou8=
> =5viy
> -----END PGP SIGNATURE-----
> 



 




Copyright © Lexa Software, 1996-2009.