<<< Date Index >>>     <<< Thread Index >>>

Re: Cisco IOS VTP issues



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,
This is a Cisco response to an advisory published by FX of Phenoelit
posted as of September 13, 2006 at: 
http://www.securityfocus.com/archive/1/445896/30/0/threaded
and entitled "Cisco Systems IOS VTP multiple vulnerabilities".

An official response is located at:
http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml

These vulnerabilities are addressed by Cisco bug IDs:

  * CSCsd52629/CSCsd34759 -- VTP version field DoS
   
  * CSCse40078/CSCse47765 -- Integer Wrap in VTP revision
   
  * CSCsd34855/CSCei54611 -- Buffer Overflow in VTP VLAN name
   
We would like to thank FX and Phenoelit Group for reporting these
vulnerabilities to us. We greatly appreciate the opportunity to work
with researchers on security vulnerabilities, and welcome the
opportunity to review and assist in security vulnerability reports
against Cisco products.

Additional Information
======================

VLAN Trunking Protocol (VTP) is a Layer 2 messaging protocol that
maintains VLAN configuration consistency by managing the addition,
deletion, and renaming of VLANs on a network-wide basis. When you
configure a new VLAN on one VTP server, the VLAN configuration
information is distributed via the VTP protocol through all switches
in the domain. This reduces the need to configure the same VLAN
everywhere. VTP is a Cisco-proprietary protocol that is available on
most of the Cisco Catalyst series products in both Cisco IOS and
Cisco CatOS system software.

Products affected by these vulnerabilities:
+------------------------------------------

  * Switches running affected versions of Cisco IOS and have VTP
    Operating Mode as either "server" or "client" are affected by all
    three vulnerabilities.
  * Switches running affected versions of Cisco CatOS and have VTP
    Operating Mode as either "server" or "client" are only affected
    by "Integer Wrap in VTP revision" vulnerability.

Products not affected by these vulnerabilities:
+----------------------------------------------

  * Switches configured with VTP operating mode as "transparent".
  * Switches running CatOS with VTP Operating Mode as either "server"
    or "client" are not affected by "Buffer Overflow in VTP VLAN
    name" or "VTP Version field DoS" vulnerabilities

To determine the VTP mode on the switch, log into the device and
issue the "show vtp status" (IOS) or "show vtp domain" (CatOS) 
command.  Switches that show either "Server" or "Client" as the VTP
operating mode are affected by these vulnerabilities.

An example is shown below for Cisco IOS with VTP operating in
"Server" mode:
    
    ios_switch#sh vtp stat  
    VTP Version                     : 2
    Configuration Revision          : 0
    Maximum VLANs supported locally : 1005
    Number of existing VLANs        : 5
    VTP Operating Mode              : Server
    VTP Domain Name                 : test
    VTP Pruning Mode                : Disabled
    VTP V2 Mode                     : Enabled
    VTP Traps Generation            : Disabled
    MD5 digest                      : <removed> 
    Configuration last modified by 0.0.0.0 at 3-1-93 04:02:09
    ios_switch#

An example is shown below for Cisco CatOS with VTP operating in
"Server" mode:
    
    catos_switch> (enable) sh vtp domain
    Version      : running VTP1 (VTP3 capable)
    Domain Name  : test              Password  : not configured
    Notifications: disabled          Updater ID: 0.0.0.0
    
    Feature        Mode           Revision
    -------------- -------------- -----------
    VLAN           Server         2          
    
    Pruning             : disabled
    VLANs prune eligible: 2-1000
    catos_switch> (enable) 
    

  * VTP Version field DoS:
   
    The VTP feature in certain versions of Cisco IOS software may be
    vulnerable to a crafted packet sent from the local network
    segment which may lead to a denial of service condition. When a
    switch receives a specially crafted VTP summary packet, the 
    switch will reset with a Software Forced Crash Exception. 
    Messages for either "watchdog timeout" or "CPU hog" for process
    VLAN Manager will be seen prior to the software reset within the
    syslog messages generated by the switch.
    The packets must be received on a trunk enabled port.
 
    Switches running CatOS are not affected by this vulnerability and
    will display a log message "%VTP-2-RXINVSUMMARY:rx invalid
    summary from [port number]" should a specially crafted summary
    packet be received.

    There are no workarounds for this vulnerability. Switches
    configured with a VTP domain password are still affected by this
    vulnerability. Cisco recommends that customer upgrade to a
    version of Cisco IOS that contains the fixes for either 
    CSCsd52629 or CSCsd34759.

  * Buffer Overflow in VTP VLAN name:
   
    The VTP feature in certain versions of Cisco IOS software is
    vulnerable to a buffer overflow condition and potential execution
    of arbitrary code. If a VTP summary advertisement is received
    with a Type-Length-Value (TLV) containing a VLAN name greater
    than 100 characters, the receiving switch will reset with an
    Unassigned Exception error. The packets must be received on a
    trunk enabled port, with a matching domain name and a matching
    VTP domain password (if configured).

    Applying a VTP domain password to the VTP domain will prevent
    spoofed VTP summary advertisement message from advertising an
    incorrect VLAN name. See http://www.cisco.com/univercd/cc/td/doc/
    product/lan/c3550/12119ea1/3550scg/swvtp.htm#1035247 for further
    information on setting VTP domain passwords.

  * Integer Wrap in VTP revision:
   
    The VTP feature in certain versions of Cisco IOS software and
    Cisco CatOS software will display statistic counters as a
    negative number due to an integer wrap. Normal VTP operation will
    occur if no changes are made within the VTP domain. With the 
    addition of switches or resetting of a VTP server configuration 
    revision, VTP updates potentially may not be processed by other
    VTP servers/clients within the domain. Should any switches be 
    impacted by this vulnerability, customers should execute the
    recovery procedures as listed below.
   
    Once the VTP configuration revision exceeds 0x7FFFFFFF, the
    output for the VTP configuration revision in "show vtp status"
    (IOS) or "show vtp domain" (CatOS) will display as a negative
    number. Operation of the switch is not affected, however further
    changes to the VLAN database may not be properly propagated
    throughout the VTP domain.
   
    Example from Cisco IOS:
   
        ios_switch#sh vtp stat
        VTP Version                     : 2
        Configuration Revision          : -2147483648
        Maximum VLANs supported locally : 1005
        Number of existing VLANs        : 17
        VTP Operating Mode              : Client
        VTP Domain Name                 : psirt
        VTP Pruning Mode                : Disabled
        VTP V2 Mode                     : Disabled
        VTP Traps Generation            : Disabled
        MD5 digest                      : <removed> 
        Configuration last modified by 0.0.0.0 at 3-1-93 00:10:07
        ios_switch#
   
    Example from Cisco CatOS:
   
        catos_switch# (enable) sh vtp domain
        Version      : running VTP1 (VTP3 capable)
        Domain Name  : psirt             Password  : not configured
        Notifications: disabled          Updater ID: 0.0.0.0
        
        Feature        Mode           Revision
        -------------- -------------- -----------
        VLAN           Server         -2147483648
        
        Pruning             : disabled
        VLANs prune eligible: 2-1000
   
    Applying a VTP domain password to the VTP domain will prevent
    spoofed VTP summary advertisement messages from advertising
    0x7FFFFFFF as a configuration revision number. See http://
    www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12119ea1/
    3550scg/swvtp.htm#1035247 for further information on setting VTP
    domain passwords
   
    To recover from the negative configuration revision due to
    exploitation, the following methods can be performed to recover
    the VTP domain operations:
   
    * Change VTP domain names on all switches.
   
    * Change all VTP servers/clients to transparent mode first. Then
      change back to their original server/client mode.
   

For further information on VTP please refer to: 
http://www.cisco.com/warp/public/473/21.html

For further information on Layer 2 security practices please refer
to: 
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/
networking_solutions_white_paper09186a008014870f.shtml#wp998892

Regards
Paul Oxman
PSIRT Incident Manager
Cisco Systems 


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (SunOS)

iD8DBQFFCE4G8NUAbBmDaxQRAuIDAJ9t5ReIlSTSbag3CAIwZkaeX03BiQCdECvp
guqCOs3Ye94iIwOSl/m4Ou8=
=5viy
-----END PGP SIGNATURE-----