Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.1022 -- [Appliance][Cisco]
Cisco VLAN Trunking Protocol Vulnerability
6 November 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Publisher: Cisco Systems
Operating System: Cisco
Network Appliance
Impact: Denial of Service
Access: Remote/Unauthenticated
Original Bulletin:
http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Response: Cisco VLAN Trunking Protocol Vulnerability
http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml
Revision 1.0
For Public Release 2008 November 5 1600 UTC (GMT)
Cisco Response
==============
This is the Cisco response to research done by 'showrun.lee'
pertaining to a crafted VTP packet denial of service vulnerability.
We would like to thank 'showrun.lee' for reporting this vulnerability
to us.
We greatly appreciate the opportunity to work with researchers on
security vulnerabilities, and welcome the opportunity to review and
assist in security vulnerability reports against Cisco products.
This vulnerability is being addressed by Cisco Bug IDs:
* CSCsv05934 - Crafted VTP packet crashes device running IOS
* CSCsv11741 - Crafted VTP packet crashes switch running CatOS
Additional Information
======================
The VLAN Trunking Protocol (VTP) is a Layer 2 messaging protocol that
maintains VLAN configuration consistency by managing the addition,
deletion, and renaming of VLANs on a network-wide basis. When a
network administrator makes any configuration changes to the VLAN
setup on one device working as a VTP server, said configuration is
then distributed via the VTP protocol through all switches in the
domain. This reduces the need for replicating this VLAN configuration
manually across switches. VTP is a Cisco-proprietary protocol that is
available on most of the Cisco Catalyst series products using both
Cisco IOS and Cisco CatOS system software.
Cisco's VTP protocol implementation in some versions of Cisco IOS and
CatOS may be vulnerable to a DoS attack via a specially crafted VTP
packet sent from the local network segment when operating in either
server or client VTP mode. When the device receives the specially
crafted VTP packet, the switch may crash (and reload/hang). The
crafted packet must be received on a switch interface configured to
operate as a trunk port.
Devices without a VTP domain name configured are still vulnerable.
For devices not requiring the use of VTP, administrators should set
the VTP mode as "transparent" via the CLI command "vtp mode
transparent". Devices configured with a VTP domain password are still
vulnerable to exploitation, without the malicious attacker knowing
the VTP domain password. Switch configuration best practices limit
exposure to exploitation, by disabling the Dynamic Trunking Protocol
(DTP) on all switch ports that are not required to operate as trunk
ports. See "Best Practices for Catalyst 6500/6000 Series and Catalyst
4500/4000 Series Switches Running Cisco IOS Software" and "Best
Practices for Catalyst 4500/4000, 5500/5000, and 6500/6000 Series
Switches Running CatOS Configuration and Management" for further
information.
http://www.cisco.com/en/US/products/hw/switches/ps700/products_white_paper09186a00801b49a4.shtml#cg4
http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a0080094713.shtml#dtp
Products affected by this vulnerability:
* Devices running affected versions of Cisco IOS or CatOS that have
VTP Operating Mode as either "server" or "client".
* Devices running affected versions of Cisco IOS with Ethernet
Switch Modules for Cisco 1800/2600/2800/3600/3700/3800 Series
Routers that have VTP Operating Mode as either "server" or
"client".
Products not affected by these vulnerabilities:
* Devices configured with VTP operating mode as "transparent".
* Devices configured with VTP version 3 (CatOS only)
To determine the current VTP operating mode on a Cisco device, log
into the device and issue the show vtp status command on an IOS
device or the show vtp domain command on a CatOS device. Switches
that show either "server" or "client" as the VTP operating mode are
affected by this vulnerability.
The following example shows a device running Cisco IOS and operating
in VTP "server" mode:
ios_switch#show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : test
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : <removed>
Configuration last modified by 0.0.0.0 at 3-1-93 04:02:09
ios_switch#
The following example shows a device running Cisco CatOS and
operating in VTP "server" mode:
catos_switch> (enable) show vtp domain
Version : running VTP1 (VTP3 capable)
Domain Name : test Password : not configured
Notifications: disabled Updater ID: 0.0.0.0
Feature Mode Revision
-------------- -------------- -----------
VLAN Server 2
Pruning : disabled
VLANs prune eligible: 2-1000
catos_switch> (enable)
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-November-5 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iD8DBQFJEcP686n/Gc8U/uARAuNkAJ4/chmZxABwfS3TMvYlMVQvnlyt/QCeLRpy
VVaw0JqW9wqvVCdARmMjYYI=
=H1JU
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSRI53Ch9+71yA2DNAQKuTAP8DxVzjAI/oim9AkCjObVatr3GVCqMjKYn
H5hqsK2Xaw6u6pWbUzEP701Df1N3iBxvKM6kflX2yaqJ4dOBOHSYUvXuffkwvlce
0DIFiq9J/iziUq/cjbQRfGEfXkpNMPZrR9Ze/Ro5+mg6clzpjVYPTgbUhDr5d/Ry
EDx41qlorXI=
=ikgB
-----END PGP SIGNATURE-----