Re: Cisco IOS VTP issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
This is a Cisco response to an advisory published by FX of Phenoelit
posted as of September 13, 2006 at:
http://www.securityfocus.com/archive/1/445896/30/0/threaded
and entitled "Cisco Systems IOS VTP multiple vulnerabilities".
An official response is located at:
http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml
These vulnerabilities are addressed by Cisco bug IDs:
* CSCsd52629/CSCsd34759 -- VTP version field DoS
* CSCse40078/CSCse47765 -- Integer Wrap in VTP revision
* CSCsd34855/CSCei54611 -- Buffer Overflow in VTP VLAN name
We would like to thank FX and Phenoelit Group for reporting these
vulnerabilities to us. We greatly appreciate the opportunity to work
with researchers on security vulnerabilities, and welcome the
opportunity to review and assist in security vulnerability reports
against Cisco products.
Additional Information
======================
VLAN Trunking Protocol (VTP) is a Layer 2 messaging protocol that
maintains VLAN configuration consistency by managing the addition,
deletion, and renaming of VLANs on a network-wide basis. When you
configure a new VLAN on one VTP server, the VLAN configuration
information is distributed via the VTP protocol through all switches
in the domain. This reduces the need to configure the same VLAN
everywhere. VTP is a Cisco-proprietary protocol that is available on
most of the Cisco Catalyst series products in both Cisco IOS and
Cisco CatOS system software.
Products affected by these vulnerabilities:
+------------------------------------------
* Switches running affected versions of Cisco IOS and have VTP
Operating Mode as either "server" or "client" are affected by all
three vulnerabilities.
* Switches running affected versions of Cisco CatOS and have VTP
Operating Mode as either "server" or "client" are only affected
by "Integer Wrap in VTP revision" vulnerability.
Products not affected by these vulnerabilities:
+----------------------------------------------
* Switches configured with VTP operating mode as "transparent".
* Switches running CatOS with VTP Operating Mode as either "server"
or "client" are not affected by "Buffer Overflow in VTP VLAN
name" or "VTP Version field DoS" vulnerabilities
To determine the VTP mode on the switch, log into the device and
issue the "show vtp status" (IOS) or "show vtp domain" (CatOS)
command. Switches that show either "Server" or "Client" as the VTP
operating mode are affected by these vulnerabilities.
An example is shown below for Cisco IOS with VTP operating in
"Server" mode:
ios_switch#sh vtp stat
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : test
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : <removed>
Configuration last modified by 0.0.0.0 at 3-1-93 04:02:09
ios_switch#
An example is shown below for Cisco CatOS with VTP operating in
"Server" mode:
catos_switch> (enable) sh vtp domain
Version : running VTP1 (VTP3 capable)
Domain Name : test Password : not configured
Notifications: disabled Updater ID: 0.0.0.0
Feature Mode Revision
-------------- -------------- -----------
VLAN Server 2
Pruning : disabled
VLANs prune eligible: 2-1000
catos_switch> (enable)
* VTP Version field DoS:
The VTP feature in certain versions of Cisco IOS software may be
vulnerable to a crafted packet sent from the local network
segment which may lead to a denial of service condition. When a
switch receives a specially crafted VTP summary packet, the
switch will reset with a Software Forced Crash Exception.
Messages for either "watchdog timeout" or "CPU hog" for process
VLAN Manager will be seen prior to the software reset within the
syslog messages generated by the switch.
The packets must be received on a trunk enabled port.
Switches running CatOS are not affected by this vulnerability and
will display a log message "%VTP-2-RXINVSUMMARY:rx invalid
summary from [port number]" should a specially crafted summary
packet be received.
There are no workarounds for this vulnerability. Switches
configured with a VTP domain password are still affected by this
vulnerability. Cisco recommends that customer upgrade to a
version of Cisco IOS that contains the fixes for either
CSCsd52629 or CSCsd34759.
* Buffer Overflow in VTP VLAN name:
The VTP feature in certain versions of Cisco IOS software is
vulnerable to a buffer overflow condition and potential execution
of arbitrary code. If a VTP summary advertisement is received
with a Type-Length-Value (TLV) containing a VLAN name greater
than 100 characters, the receiving switch will reset with an
Unassigned Exception error. The packets must be received on a
trunk enabled port, with a matching domain name and a matching
VTP domain password (if configured).
Applying a VTP domain password to the VTP domain will prevent
spoofed VTP summary advertisement message from advertising an
incorrect VLAN name. See http://www.cisco.com/univercd/cc/td/doc/
product/lan/c3550/12119ea1/3550scg/swvtp.htm#1035247 for further
information on setting VTP domain passwords.
* Integer Wrap in VTP revision:
The VTP feature in certain versions of Cisco IOS software and
Cisco CatOS software will display statistic counters as a
negative number due to an integer wrap. Normal VTP operation will
occur if no changes are made within the VTP domain. With the
addition of switches or resetting of a VTP server configuration
revision, VTP updates potentially may not be processed by other
VTP servers/clients within the domain. Should any switches be
impacted by this vulnerability, customers should execute the
recovery procedures as listed below.
Once the VTP configuration revision exceeds 0x7FFFFFFF, the
output for the VTP configuration revision in "show vtp status"
(IOS) or "show vtp domain" (CatOS) will display as a negative
number. Operation of the switch is not affected, however further
changes to the VLAN database may not be properly propagated
throughout the VTP domain.
Example from Cisco IOS:
ios_switch#sh vtp stat
VTP Version : 2
Configuration Revision : -2147483648
Maximum VLANs supported locally : 1005
Number of existing VLANs : 17
VTP Operating Mode : Client
VTP Domain Name : psirt
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : <removed>
Configuration last modified by 0.0.0.0 at 3-1-93 00:10:07
ios_switch#
Example from Cisco CatOS:
catos_switch# (enable) sh vtp domain
Version : running VTP1 (VTP3 capable)
Domain Name : psirt Password : not configured
Notifications: disabled Updater ID: 0.0.0.0
Feature Mode Revision
-------------- -------------- -----------
VLAN Server -2147483648
Pruning : disabled
VLANs prune eligible: 2-1000
Applying a VTP domain password to the VTP domain will prevent
spoofed VTP summary advertisement messages from advertising
0x7FFFFFFF as a configuration revision number. See http://
www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12119ea1/
3550scg/swvtp.htm#1035247 for further information on setting VTP
domain passwords
To recover from the negative configuration revision due to
exploitation, the following methods can be performed to recover
the VTP domain operations:
* Change VTP domain names on all switches.
* Change all VTP servers/clients to transparent mode first. Then
change back to their original server/client mode.
For further information on VTP please refer to:
http://www.cisco.com/warp/public/473/21.html
For further information on Layer 2 security practices please refer
to:
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/
networking_solutions_white_paper09186a008014870f.shtml#wp998892
Regards
Paul Oxman
PSIRT Incident Manager
Cisco Systems
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (SunOS)
iD8DBQFFCE4G8NUAbBmDaxQRAuIDAJ9t5ReIlSTSbag3CAIwZkaeX03BiQCdECvp
guqCOs3Ye94iIwOSl/m4Ou8=
=5viy
-----END PGP SIGNATURE-----