Voice VLAN Access/Abuse Possible on Cisco voice-enabled, 802.1x-secured Interfaces

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Voice VLAN Access/Abuse Possible on Cisco voice-enabled, 802.1x-secured Interfaces
From: csirt@xxxxxxxxxxxxxxxxxxx
Date: 10 Jun 2005 14:05:20 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

==========================================================================
Title: Voice VLAN Access/Abuse Possible on Cisco voice-enabled, 802.1x-secured 
Interfaces Vulnerability Discovery: FishNet Security - 
http://www.fishnetsecurity.com
Date: 06/08/2005
Severity: Medium - Voice VLAN locally accessible despite voice-enabled ports 
being 802.1x-secured
Vendor: http://www.cisco.com
==========================================================================
==========================================================================

Summary:

Cisco switches that support both 802.1x security and Cisco IP Phones have the 
ability to differentiate between access of the voice VLAN by Cisco IP Phones 
and access of the data VLAN by devices connected to the auxiliary ports 
(daisy-chained) of IP Phones. Thus 802.1x port-level security can be achieved 
on switch ports connected to Cisco IP Phones which are, in turn, connected to 
end-user devices.

--------------------------------------------------------------------------

Description of Issue:

In this configuration data VLAN access provided to devices connected to IP 
Phone auxiliary ports is authenticated via 802.1x. Unfortunately access to the 
voice VLAN cannot be so securely authenticated due to the lack of 802.1x 
supplicant software in Cisco IP Phones. It has been found that a specifically 
crafted Cisco Discovery Protocol (CDP) message is sent from the Cisco IP Phone 
to the switch which opens access to the voice VLAN for frames originating from 
that Cisco IP Phone's MAC address. Although 802.1x port-security may be 
configured on the switch port voice VLAN access is trivially gained by spoofing 
a CDP message.

--------------------------------------------------------------------------

Risk Mitigation:

There is no *fix* to this issue as of yet. The true resolution would be to 
provide 802.1x supplicant software on IP phones such that voice VLAN and data 
VLAN access are both 802.1x authenticated. Traditionally, access to the voice 
VLAN of a voice-enabled system such as is described above was provided by a 
switch to any device without authentication. Cisco has provided the ability to 
differentiate between phones and other devices albeit in a such away that voice 
VLAN access is still trivially gained. It should be noted that this 
configuration is still preferred over the old method which uses no  
authentication for either VLAN. However, it is still important to note that 
true port-level authentication is still not being provided. Currently the best 
way to mitigate the risk introduced by unauthorized voice VLAN access is to 
implement traditional security measures as well as some of the advanced 
security features available in Cisco networking equipment. Cisco CallManager 
4.x and 
 certain Cisco IP Phones now support the authentication of phone registration 
through the use of certificates. Features like this reduce the risk of 
unauthorized voice VLAN access if other necessary controls are also put into 
place such as the following: 

* Disable telnet on phones.

* Always use cryptographically secure management protocols such as SSH, HTTPS, 
and SNMPv3 when possible to lower the risk of eavesdropping that ARP poisoning 
and DNS manipulation attacks present.

* Disable all administrative access to network infrastructure from voice VLAN 
addresses.

* Configure dynamic ARP inspection to lower the risk of ARP poisoning attacks.

* Configure DHCP snooping to lower the risk of DHCP server spoofing attacks.

* Configure limits on the amount of MAC addresses allowed to be connected to a 
switch port. This will lower the risk of port-stealing by overwhelming the 
switch CAM table.

* Configure storm control to limit the risk of a DOS attack via non-unicast 
traffic.

* Configure proper filtering between voice and data networks to ensure that 
even if unauthorized voice VLAN access is achieved the risk presented by this 
access is less than the risk posed by unauthorized data VLAN access.

--------------------------------------------------------------------------

References:
http://www.fishnetsecurity.com/csirt/disclosure/cisco/
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801b7a50.shtml

Prev by Date: osCommere HTTP Response Splitting
Next by Date: Webhints v1.03 Remote Command Execution
Previous by thread: RE: osCommere HTTP Response Splitting (Solution)
Next by thread: Webhints v1.03 Remote Command Execution
Index(es):
- Date
- Thread