September 2006
Cisco Security Response: cisco-sr-20060913-vtp.shtml - Cisco VLAN Trunking Protocol Vulnerabilities
ID: 00621
Ref: 596/2006
Date: 14 September 2006:14:55:32
Version: 1
Title: Cisco Security Response: cisco-sr-20060913-vtp.shtml - Cisco VLAN Trunking Protocol Vulnerabilities
Abstract: Cisco Security Response: cisco-sr-20060913-vtp.shtml - Cisco VLAN Trunking Protocol Vulnerabilities
Vendors affected: Cisco
Operating systems affected: Cisco
Applications affected: Cisco
Title
=====
Cisco Security Response: cisco-sr-20060913-vtp.shtml - Cisco VLAN Trunking
Protocol Vulnerabilities
Detail
======
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Response: Cisco VLAN Trunking Protocol Vulnerabilities
=====================================================================
Response ID: cisco-sr-20060913-vtp.shtml
http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml
Revision 1.0
============
For Public Release 2006 September 13 1700 UTC (GMT)
+--------------------------------------------------------------------
Contents
========
Cisco Response
Additional Information
Revision History
Cisco Security Procedures
+--------------------------------------------------------------------
Cisco Response
==============
This is a Cisco response to an advisory published by FX of Phenoelit
posted as of September 13, 2006 at:
http://www.securityfocus.com/archive/1/445896/30/0/threaded,
and entitled "Cisco Systems IOS VTP multiple vulnerabilities".
These vulnerabilities are addressed by Cisco bug IDs:
* CSCsd52629/CSCsd34759 -- VTP version field DoS
* CSCse40078/CSCse47765 -- Integer Wrap in VTP revision
* CSCsd34855/CSCei54611 -- Buffer Overflow in VTP VLAN name
We would like to thank FX and Phenoelit Group for reporting these
vulnerabilities to us. We greatly appreciate the opportunity to work
with researchers on security vulnerabilities, and welcome the
opportunity to review and assist in security vulnerability reports
against Cisco products.
Additional Information
======================
VLAN Trunking Protocol (VTP) is a Layer 2 messaging protocol that
maintains VLAN configuration consistency by managing the addition,
deletion, and renaming of VLANs on a network-wide basis. When you
configure a new VLAN on one VTP server, the VLAN configuration
information is distributed via the VTP protocol through all switches
in the domain. This reduces the need to configure the same VLAN
everywhere. VTP is a Cisco-proprietary protocol that is available on
most of the Cisco Catalyst series products in both Cisco IOS and
Cisco CatOS system software.
Products affected by these vulnerabilities:
+------------------------------------------
* Switches running affected versions of Cisco IOS and have VTP
Operating Mode as either "server" or "client" are affected by all
three vulnerabilities.
* Switches running affected versions of Cisco CatOS and have VTP
Operating Mode as either "server" or "client" are only affected
by "Integer Wrap in VTP revision" vulnerability.
Products not affected by these vulnerabilities:
+----------------------------------------------
* Switches configured with VTP operating mode as "transparent".
* Switches running CatOS with VTP Operating Mode as either "server"
or "client" are not affected by "Buffer Overflow in VTP VLAN
name" or "VTP Version field DoS" vulnerabilities
To determine the VTP mode on the switch, log into the device and
issue the "show vtp status" (IOS) or "show vtp domain" (CatOS)
command. Switches that show either "Server" or "Client" as the VTP
operating mode are affected by these vulnerabilities.
An example is shown below for Cisco IOS with VTP operating in
"Server" mode:
ios_switch#sh vtp stat
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : test
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest :
Configuration last modified by 0.0.0.0 at 3-1-93 04:02:09
ios_switch#
An example is shown below for Cisco CatOS with VTP operating in
"Server" mode:
catos_switch> (enable) sh vtp domain
Version : running VTP1 (VTP3 capable)
Domain Name : test Password : not configured
Notifications: disabled Updater ID: 0.0.0.0
Feature Mode Revision
-------------- -------------- -----------
VLAN Server 2
Pruning : disabled
VLANs prune eligible: 2-1000
catos_switch> (enable)
* VTP Version field DoS:
The VTP feature in certain versions of Cisco IOS software may be
vulnerable to a crafted packet sent from the local network
segment which may lead to a denial of service condition. When a
switch receives a specially crafted VTP summary packet, the
switch will reset with a Software Forced Crash Exception.
Messages for either "watchdog timeout" or "CPU hog" for process
VLAN Manager will be seen prior to the software reset within the
syslog messages generated by the switch.
The packets must be received on a trunk enabled port.
Switches running CatOS are not affected by this vulnerability and
will display a log message "%VTP-2-RXINVSUMMARY:rx invalid
summary from [port number]" should a specially crafted summary
packet be received.
There are no workarounds for this vulnerability. Switches
configured with a VTP domain password are still affected by this
vulnerability. Cisco recommends that customer upgrade to a
version of Cisco IOS that contains the fixes for either
CSCsd52629 or CSCsd34759.
* Buffer Overflow in VTP VLAN name:
The VTP feature in certain versions of Cisco IOS software is
vulnerable to a buffer overflow condition and potential execution
of arbitrary code. If a VTP summary advertisement is received
with a Type-Length-Value (TLV) containing a VLAN name greater
than 100 characters, the receiving switch will reset with an
Unassigned Exception error. The packets must be received on a
trunk enabled port, with a matching domain name and a matching
VTP domain password (if configured).
Applying a VTP domain password to the VTP domain will prevent
spoofed VTP summary advertisement message from advertising an
incorrect VLAN name. See http://www.cisco.com/univercd/cc/td/doc/
product/lan/c3550/12119ea1/3550scg/swvtp.htm#1035247 for further
information on setting VTP domain passwords.
* Integer Wrap in VTP revision:
The VTP feature in certain versions of Cisco IOS software and
Cisco CatOS software will display statistic counters as a
negative number due to an integer wrap. Normal VTP operation will
occur if no changes are made within the VTP domain. With the
addition of switches or resetting of a VTP server configuration
revision, VTP updates potentially may not be processed by other
VTP servers/clients within the domain. Should any switches be
impacted by this vulnerability, customers should execute the
recovery procedures as listed below.
Once the VTP configuration revision exceeds 0x7FFFFFFF, the
output for the VTP configuration revision in "show vtp status"
(IOS) or "show vtp domain" (CatOS) will display as a negative
number. Operation of the switch is not affected, however further
changes to the VLAN database may not be properly propagated
throughout the VTP domain.
Example from Cisco IOS:
ios_switch#sh vtp stat
VTP Version : 2
Configuration Revision : -2147483648
Maximum VLANs supported locally : 1005
Number of existing VLANs : 17
VTP Operating Mode : Client
VTP Domain Name : psirt
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest :
Configuration last modified by 0.0.0.0 at 3-1-93 00:10:07
ios_switch#
Example from Cisco CatOS:
catos_switch# (enable) sh vtp domain
Version : running VTP1 (VTP3 capable)
Domain Name : psirt Password : not configured
Notifications: disabled Updater ID: 0.0.0.0
Feature Mode Revision
-------------- -------------- -----------
VLAN Server -2147483648
Pruning : disabled
VLANs prune eligible: 2-1000
Applying a VTP domain password to the VTP domain will prevent
spoofed VTP summary advertisement messages from advertising
0x7FFFFFFF as a configuration revision number. See http://
www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12119ea1/
3550scg/swvtp.htm#1035247 for further information on setting VTP
domain passwords
To recover from the negative configuration revision due to
exploitation, the following methods can be performed to recover
the VTP domain operations:
* Change VTP domain names on all switches.
* Change all VTP servers/clients to transparent mode first. Then
change back to their original server/client mode.
For further information on VTP please refer to:
http://www.cisco.com/warp/public/473/21.html
For further information on Layer 2 security practices please refer
to:
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/
networking_solutions_white_paper09186a008014870f.shtml#wp998892
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
Revision History
================
+-----------------------------------------------------------+
| Revision 1.0 | 2006-September-13 | Initial public release |
+-----------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (SunOS)
iD8DBQFFCEg98NUAbBmDaxQRAt2GAKCxKyMSO3hVrbJBv7ydndZ7rQgZ/QCgpSu+
qbKHcDMSTtHi1KW2QSPV+A8=
=OBcn
- -----END PGP SIGNATURE-----